I don't know what's going on with the NFS portion of this, since I don't use NFS at all, but I can tell you a few things about the Kerberos end.For a Windows 2008r2 Active Directory domain controller, the only enctypesthere that are going to work are arcfour-hmac and aes128. (aes256 mightas well in some situations, but I think you have to go to some extra work,or maybe it's that a lot of Windows clients don't support them.) You generally don't want to set these parameters, although I realize that used to be the case for NFS. The NFS machinery is going to need to support either arcfour-hmac or aes128, since Windows never supported 3DES, and you don't want to use plain DES any more (and it has to be specifically enabled on the Windows side, if they haven't dropped it entirely now). I'm not sure what enctypes the kernel-level support currently implements.
Thank you all for your answers. Russ,I absolutely agree with you. Win 2k8 works correctly with the arcfour-hmac (RC4-HMAC) and AES 128 (not supported by WinXP and younger).
Therefore, the application settings allow_weak_crypto not helping me.But how can I check the support RC4-HMAC, and AES128, to make sure that reason the problem? And how do we know up to what I need to upgrade the kernel to have a stable system and running NFS?
P.S. But kinit gets the same ticket from KDC? Or kinit does not use the kernel and uses the tools of userland-level?
P.P.S.:
I also tried to explicitly specify the type of encryption in krb5.conf:
=============
root@debian:~# grep -e rc4 -e des /etc/krb5.conf
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
# default_tgs_enctypes = des-cbc-crc
# default_tkt_enctypes = des-cbc-crc
# permitted_enctypes = des-cbc-crc
root@debian:~# kinit -k nfs/debian.sag.local
root@debian:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/debian.sag.local@SAG.LOCAL
Valid starting Expires Service principal
11/14/11 22:51:28 11/15/11 08:51:36 krbtgt/SAG.LOCAL@SAG.LOCAL
renew until 11/15/11 22:51:28
=============
and on server
=============
ARCHIV ~ # vim /etc/krb5.conf
ARCHIV ~ # kinit -k nfs/archiv.sag.local
ARCHIV ~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/archiv.sag.local@SAG.LOCAL
Valid starting Expires Service principal
11/14/11 22:53:45 11/15/11 08:53:45 krbtgt/SAG.LOCAL@SAG.LOCAL
renew until 11/15/11 22:53:45
====================
And once again got an error on the server:
===================
Nov 14 22:54:40 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
failure. Minor code may provide more information) - No supported
encryption types (config file error?)
Nov 14 22:54:40 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
failure. Minor code may provide more information) - No supported
encryption types (config file error?)
-- Best Regards