All of lore.kernel.org
 help / color / mirror / Atom feed
From: Kevin Coffman <kwc@citi.umich.edu>
To: Di Pe <dipeit@gmail.com>
Cc: Jeff Layton <jlayton@redhat.com>, linux-nfs@vger.kernel.org
Subject: Re: cannot mount nfsv4/krb5 with krb51.7, 1.8 and 1.8.1
Date: Wed, 21 Apr 2010 09:45:14 -0400	[thread overview]
Message-ID: <p2t4d569c331004210645w1094fdafx11b9204aa98af4b3@mail.gmail.com> (raw)
In-Reply-To: <w2v3b6787961004210632mca9e60bbn9f68dcc2e475cfa1@mail.gmail.com>

This just makes me more confused.  None of those "*enctype" settings
should be required for any of these versions of Kerberos or gssd.  And
they will limit you to DES when the stronger encryption types become
available.

K.C.

On Wed, Apr 21, 2010 at 9:32 AM, Di Pe <dipeit@gmail.com> wrote:
> correction: I did not have this in my earlier testing:
> permitted_enctypes = des-cbc-crc
>
> it worked without permitted_enctypes on suse with krb5 1.6.3 but it
> needed that setting with krb 1.7, 1.8 and 1.8.1
>
> I also tried ubuntu 10 with krb5 1.8.1 and the strange thing is that
> is does not need any of the enctypes. It just works.
>
> The opentext NFS server does not seem to offer any logging capability.
>
> Thanks
>
>
> On Tue, Apr 20, 2010 at 8:02 PM, Kevin Coffman <kwc@citi.umich.edu> wrote:
>> On Tue, Apr 20, 2010 at 8:19 PM, Di Pe <dipeit@gmail.com> wrote:
>>> On Tue, Apr 20, 2010 at 6:19 AM, Kevin Coffman <kwc@citi.umich.edu> wrote:
>>>> Hi,
>>>>
>>>> If I read this right, you replaced krb5-1.8.1 with krb5-1.6.3 and it
>>>> fixed the problem?
>>>>
>>>> As I noted in your original message, you had "allow_weak_crypto =
>>>> true" in your krb5.conf.  For NFS, this is required with krb5-1.8
>>>> where DES is disabled by default.  Are you certain you have this
>>>> specified in your krb5-1.8.1 /etc/krb5.conf?
>>>
>>>
>>> Yes, I'm positive. 1.8.1 does not work 1.6.3 does!  This is my current setting
>>>
>>> [libdefaults]
>>>        default_realm = FHCRC.ORG
>>>        clockskew = 300
>>>        default_tkt_enctypes = des-cbc-crc
>>>        default_tgs_enctypes = des-cbc-crc
>>>        permitted_enctypes = des-cbc-crc
>>>        allow_weak_crypto = true
>>>        forwardable = true
>>>
>>> I should add one more thing: I was using 2 different NFS servers, a
>>> NetApp 7.3.1.1 and Opentext NFS Maestro Server 2008 (formerly
>>> Hummingbird) on Windows 2008 R2 (AD is still 2003 R2). I found out
>>> today that the NetApp had a corrupted keytab and after repairing that
>>> it works fine with 1.8.1. NFS Maestro still only works with 1.6.3.
>>> Since I can use the 1.6.3 rpm package onto newer distros I can live
>>> with it for the moment if i block the rpm from getting updated but
>>> it's still kind of a hack.
>>
>> Do you have access to logs on the server that still doesn't work with
>> 1.8.1?  It seems odd that only this combination would fail.
>>
>> K.C.
>>
>
>

  reply	other threads:[~2010-04-21 13:45 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <y2n3b6787961004170051qfce975c0tdbc14b7ea237504d@mail.gmail.com>
     [not found] ` <y2n3b6787961004170051qfce975c0tdbc14b7ea237504d-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-04-17  7:54   ` cannot mount nfsv4/krb5 with krb51.7, 1.8 and 1.8.1 Di Pe
     [not found]     ` <j2m3b6787961004170054o64f3cb47l38864ca402eb231b-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-04-17 12:55       ` Kevin Coffman
     [not found]         ` <u2x4d569c331004170555mbc4ca310pb63e0e083955fc83-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-04-17 14:43           ` Di Pe
2010-04-17 15:10       ` Jeff Layton
2010-04-20  0:37         ` Di Pe
2010-04-20 13:19           ` Kevin Coffman
2010-04-21  0:19             ` Di Pe
     [not found]               ` <j2y3b6787961004201719h6d3a7a6nea8f9d6e664a1cbc-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-04-21  3:02                 ` Kevin Coffman
2010-04-21 13:32                   ` Di Pe
2010-04-21 13:45                     ` Kevin Coffman [this message]
2010-04-20 14:13           ` Jeff Layton
2011-03-28 20:26     ` Olga Kornievskaia
2011-03-28 20:29       ` Olga Kornievskaia

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=p2t4d569c331004210645w1094fdafx11b9204aa98af4b3@mail.gmail.com \
    --to=kwc@citi.umich.edu \
    --cc=dipeit@gmail.com \
    --cc=jlayton@redhat.com \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.