Bug#657802: nfs-kernel-server: NFSv4 kerberos mount stopped working after upgrade to 6.0.4 point release
Luk Claes <email@example.com> writes:
> The allow_weak_crypto = true alone should be enough to get the weak (cbc
> ones) to work again AFAIK. Though unless one has old clients that don't
> work with stronger encryption it's better to make sure there is a better
> encryption method used for the nfs server AFAICT. I guess the
> documentation on the wikipage (http://wiki.debian.org/NFS/Kerberos)
> should be updated to not mention the cbc one anymore.
> Russ: Which enctype is now preferred and could you please update the
> above wikipage accordingly, TIA?
I personally have never used Kerberized NFS (we're an AFS site), so I'm
not really the one to comment on what enctypes NFS requires. I don't
track NFS development at all. But if NFS is no longer limited to DES,
it's very likely that it now supports the full range of standard Kerberos
enctypes, in which case the right thing to do is to just leave off the -e
flag completely and let the Kerberos infrastructure use whatever its
default configured enctype list is.
Russ Allbery (firstname.lastname@example.org) <http://www.eyrie.org/~eagle/>