But that said the situation in Bookworm might not be optimal for
kerberized NFS setups.
Regards,
Salvatore
We tried to do a upgrade to Trixie just to see how the situation was
looking there, and at least for now the problem persist:
root@basic-nas:~# uname -a Linux basic-nas.lab.skyfritt.net
6.12.17-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.17-1 (2025-03-01)
x86_64 GNU/Linux root@basic-nas:~# cat /boot/config-6.12.17-amd64 | grep
AES_SHA2 # CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2 is not set
root@basic-nas:~#
Log file from Trixie when we enforce the encryption schemas in question
from the clients:
Mar 18 09:43:42 basic-nas.lab.skyfritt.net rpc.svcgssd[1833]: ERROR:
GSS-API: error in handle_nullreq: gss_accept_sec_context():
GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more
information) - Encryption type aes256-cts-hmac-sha384-192 not permitted
Mar 18 09:44:53 basic-nas.lab.skyfritt.net rpc.svcgssd[1833]: ERROR:
GSS-API: error in handle_nullreq: gss_accept_sec_context():
GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more
information) - Encryption type aes128-cts-hmac-sha256-128 not permitted
I hope you will consider include RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2 in
future main kernel releases, or if possible include it as a module.
--
Best Regards,
Jostein Fossheim
