All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jim Rees <rees@umich.edu>
To: Michael Weiser <M.Weiser@science-computing.de>
Cc: linux-nfs@vger.kernel.org
Subject: Re: NFSv4 post-1.2.2 nfs-utils client fails to mount from pre-1.2.3 nfs-utils server
Date: Mon, 12 Mar 2012 16:24:36 -0400	[thread overview]
Message-ID: <20120312202436.GA13407@umich.edu> (raw)
In-Reply-To: <20120312200221.GS29573@science-computing.de>

Michael Weiser wrote:

  A direct workaround is to set the following options in /etc/krb5.conf of
  client and server:
  
  [libdefaults]
  default_tkt_enctypes = des-cbc-md5
  permitted_enctypes = des-cbc-md5
  
  , add des-cbc-md5 keys to the keytabs of both machines and allow Single
  DES for both machines' principals on the KDC (MS AD 2008r2 in particular
  wants it enabled explicitly). This however not only limits the
  encryption types of session keys but all tickets as well and applies to
  the whole machine not just the NFSv4 service. This has a needlessly high
  security impact on both machines.

Could this go in an appdefaults clause instead?

My guess is not.  I remember having to add allow_weak_crypto to libdefaults
instead of appdefaults.  But I thought I'd ask.

If not, a command line argument to gssd seems reasonable.

  reply	other threads:[~2012-03-12 20:24 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-03-12 20:02 NFSv4 post-1.2.2 nfs-utils client fails to mount from pre-1.2.3 nfs-utils server Michael Weiser
2012-03-12 20:24 ` Jim Rees [this message]
2012-03-12 21:10 ` Kevin Coffman
2012-03-12 21:57   ` Michael Weiser
2012-03-13 13:51     ` Kevin Coffman
2012-03-13 14:42       ` Michael Weiser
2012-03-13 18:53         ` Kevin Coffman
2012-03-14 13:48           ` Michael Weiser
2012-03-19 13:00             ` Michael Weiser
2012-03-20 11:27               ` Steve Dickson
2012-03-20 17:44                 ` Michael Weiser
2012-03-29 14:02                   ` Michael Weiser
2012-04-12 14:43                     ` Steve Dickson
2012-04-12 15:49                       ` Michael Weiser
2012-04-12 16:02                         ` Steve Dickson
2012-04-13 12:34                           ` Michael Weiser
2012-04-16 10:51                           ` Steve Dickson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120312202436.GA13407@umich.edu \
    --to=rees@umich.edu \
    --cc=M.Weiser@science-computing.de \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.