Jason, BTW I tested with my Linux MIT kdc and used an RC4-HMAC key for nfs/fqdn in the keytab only and it seems to work too.
I see: Etype (skey, tkt): DES cbc mode with CRC-32, ArcFour with HMAC/md5 So I would expect to work with a Windows kdc and handling RC4 is easier as you don't need to worry about the DES flag and salt. Markus [EMAIL PROTECTED]:# mount -t nfs4 -o rw,sec=krb5 opensuse.suse.home:/ /suse_work [EMAIL PROTECTED]:~> ls /suse_work/ ls: cannot access /suse_work/: Permission denied [EMAIL PROTECTED]:~> kinit Password for [EMAIL PROTECTED]: [EMAIL PROTECTED]:~> ls /suse_work/ src [EMAIL PROTECTED]:~> klist -e Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 01/07/08 20:37:05 01/08/08 06:37:05 krbtgt/[EMAIL PROTECTED] renew until 01/08/08 20:37:05, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 01/07/08 20:37:11 01/08/08 06:37:05 nfs/[EMAIL PROTECTED] renew until 01/08/08 20:37:05, Etype (skey, tkt): DES cbc mode with CRC-32, ArcFour with HMAC/md5 [EMAIL PROTECTED]:~> sudo klist -ekt Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 3 01/07/08 20:25:41 host/[EMAIL PROTECTED] (ArcFour with HMAC/md5) 6 01/07/08 20:25:41 nfs/[EMAIL PROTECTED] (ArcFour with HMAC/md5) "Jason D. McCormick" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Douglas E. Engert wrote: >> The problem might be that on the AD account the UserAccountControl flag >> does not have the USE_DES_KEY_ONLY 0x200000 set, So AD is returning an >> ArcFour ticket, which is not in the keytab. ktpass has a /DESOnly option >> to set this. >> >> See kb 305144 too. > > This is EXACTLY what I needed. Everything works now. Thanks to > everyone for the help. > > - Jason > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos