From: Jim Rees <rees@umich.edu>
To: Michael Weiser <M.Weiser@science-computing.de>
Cc: linux-nfs@vger.kernel.org
Subject: Re: NFSv4 post-1.2.2 nfs-utils client fails to mount from pre-1.2.3 nfs-utils server
Date: Mon, 12 Mar 2012 16:24:36 -0400 [thread overview]
Message-ID: <20120312202436.GA13407@umich.edu> (raw)
In-Reply-To: <20120312200221.GS29573@science-computing.de>
Michael Weiser wrote:
A direct workaround is to set the following options in /etc/krb5.conf of
client and server:
[libdefaults]
default_tkt_enctypes = des-cbc-md5
permitted_enctypes = des-cbc-md5
, add des-cbc-md5 keys to the keytabs of both machines and allow Single
DES for both machines' principals on the KDC (MS AD 2008r2 in particular
wants it enabled explicitly). This however not only limits the
encryption types of session keys but all tickets as well and applies to
the whole machine not just the NFSv4 service. This has a needlessly high
security impact on both machines.
Could this go in an appdefaults clause instead?
My guess is not. I remember having to add allow_weak_crypto to libdefaults
instead of appdefaults. But I thought I'd ask.
If not, a command line argument to gssd seems reasonable.
next prev parent reply other threads:[~2012-03-12 20:24 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-12 20:02 NFSv4 post-1.2.2 nfs-utils client fails to mount from pre-1.2.3 nfs-utils server Michael Weiser
2012-03-12 20:24 ` Jim Rees [this message]
2012-03-12 21:10 ` Kevin Coffman
2012-03-12 21:57 ` Michael Weiser
2012-03-13 13:51 ` Kevin Coffman
2012-03-13 14:42 ` Michael Weiser
2012-03-13 18:53 ` Kevin Coffman
2012-03-14 13:48 ` Michael Weiser
2012-03-19 13:00 ` Michael Weiser
2012-03-20 11:27 ` Steve Dickson
2012-03-20 17:44 ` Michael Weiser
2012-03-29 14:02 ` Michael Weiser
2012-04-12 14:43 ` Steve Dickson
2012-04-12 15:49 ` Michael Weiser
2012-04-12 16:02 ` Steve Dickson
2012-04-13 12:34 ` Michael Weiser
2012-04-16 10:51 ` Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120312202436.GA13407@umich.edu \
--to=rees@umich.edu \
--cc=M.Weiser@science-computing.de \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.