Russ Allbery <r...@debian.org> писал(а) в своём письме Mon, 14 Nov 2011 22:19:04 +0400:

I don't know what's going on with the NFS portion of this, since I don't
use NFS at all, but I can tell you a few things about the Kerberos end.

For a Windows 2008r2 Active Directory domain controller, the only enctypes
there that are going to work are arcfour-hmac and aes128.  (aes256 might
as well in some situations, but I think you have to go to some extra work,
or maybe it's that a lot of Windows clients don't support them.)

You generally don't want to set these parameters, although I realize that
used to be the case for NFS.

The NFS machinery is going to need to support either arcfour-hmac or
aes128, since Windows never supported 3DES, and you don't want to use
plain DES any more (and it has to be specifically enabled on the Windows
side, if they haven't dropped it entirely now).  I'm not sure what
enctypes the kernel-level support currently implements.

Thank you all for your answers.

Russ,

I absolutely agree with you. Win 2k8 works correctly with the arcfour-hmac (RC4-HMAC) and AES 128 (not supported by WinXP and younger).
Therefore, the application settings allow_weak_crypto not helping me.
But how can I check the support RC4-HMAC, and AES128, to make sure that reason the problem? And how do we know up to what I need to upgrade the kernel to have a stable system and running NFS?

P.S. But kinit gets the same ticket from KDC? Or kinit does not use the kernel and uses the tools of userland-level?

P.P.S.:
I also tried to explicitly specify the type of encryption in krb5.conf:
=============
root@debian:~# grep -e rc4 -e des /etc/krb5.conf
#      default_tgs_enctypes = des3-hmac-sha1
#      default_tkt_enctypes = des3-hmac-sha1
#      permitted_enctypes = des3-hmac-sha1
        default_tkt_enctypes = rc4-hmac
        default_tgs_enctypes = rc4-hmac
        permitted_enctypes = rc4-hmac
#       default_tgs_enctypes = des-cbc-crc
#       default_tkt_enctypes = des-cbc-crc
#       permitted_enctypes = des-cbc-crc
root@debian:~# kinit -k  nfs/debian.sag.local
root@debian:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/debian.sag.local@SAG.LOCAL

Valid starting     Expires            Service principal
11/14/11 22:51:28  11/15/11 08:51:36  krbtgt/SAG.LOCAL@SAG.LOCAL
        renew until 11/15/11 22:51:28
=============
and on server
=============
ARCHIV ~ # vim /etc/krb5.conf
ARCHIV ~ # kinit -k nfs/archiv.sag.local
ARCHIV ~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/archiv.sag.local@SAG.LOCAL

Valid starting     Expires            Service principal
11/14/11 22:53:45  11/15/11 08:53:45  krbtgt/SAG.LOCAL@SAG.LOCAL
        renew until 11/15/11 22:53:45
====================
And once again got an error on the server:
===================
Nov 14 22:54:40 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No supported encryption types (config file error?) Nov 14 22:54:40 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No supported encryption types (config file error?)


--
Best Regards



--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/op.v4x9p7pgeax...@odmen.sag.local

Reply via email to