I upgraded krb5-user from the repository, backports, but the error remained the
same:
ARCHIV ~ # dpkg -l | grep -i mit
ii krb5-user 1.9.1+dfsg-3
Basic programs to authenticate using MIT Ke
ii libgssapi-krb5-2
Package: nfs-kernel-server
Version: 1:1.2.4-1~bpo60+1
Severity: normal
Hello!
I have Win2k8 R2 as a domain controller (as KDC for NFS).
There is an NFS client on Debian wheezy: hostname - debian:
root@debian:~# dpkg -l | grep nfs
ii libnfsidmap2 0.24-1
On 11/14/2011 04:57 PM, Mc.Sim wrote:
Hello!
Hi
I have Win2k8 R2 as a domain controller (as KDC for NFS).
There is an NFS client on Debian wheezy: hostname - debian:
I tried to uncomment
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
#
Luk Claes l...@debian.org писал(а) в своём письме Mon, 14 Nov 2011
19:36:41 +0400:
On 11/14/2011 04:57 PM, Mc.Sim wrote:
Why would that work without changing anything in your Kerberos keytabs?
keytab contains both types of encryption. (example below in the text)
Nov 14 18:39:20 archiv
I don't know what's going on with the NFS portion of this, since I don't
use NFS at all, but I can tell you a few things about the Kerberos end.
Kramarenko A. Maxim mc-si...@ya.ru writes:
But in the keytab there are other types of encryption:
root@debian:~# klist -ke
Keytab name:
Russ Allbery r...@debian.org писал(а) в своём письме Mon, 14 Nov 2011
22:19:04 +0400:
I don't know what's going on with the NFS portion of this, since I don't
use NFS at all, but I can tell you a few things about the Kerberos end.
For a Windows 2008r2 Active Directory domain controller, the
On 11/14/2011 01:19 PM, Russ Allbery wrote:
The NFS machinery is going to need to support either arcfour-hmac or
aes128, since Windows never supported 3DES, and you don't want to use
plain DES any more (and it has to be specifically enabled on the Windows
side, if they haven't dropped it
Daniel Kahn Gillmor d...@fifthhorseman.net писал(а) в своём письме Mon,
14 Nov 2011 23:05:36 +0400:
On 11/14/2011 01:19 PM, Russ Allbery wrote:
You'll need the kernel from squeeze-backports or later to get enctypes
other than des-cbc-crc.
I can attest that 2.6.39-3~bpo60+1 works with
Kramarenko A. Maxim mc-si...@ya.ru writes:
P.S. But kinit gets the same ticket from KDC? Or kinit does not use the
kernel and uses the tools of userland-level?
The NFS server, client, and KDC all have to agree on a single encryption
type, and the encryption type of the service ticket issued by
Russ Allbery r...@debian.org писал(а) в своём письме Tue, 15 Nov 2011
00:27:01 +0400:
Kramarenko A. Maxim mc-si...@ya.ru writes:
The NFS server, client, and KDC all have to agree on a single encryption
type, and the encryption type of the service ticket issued by the KDC to
the client has
Kramarenko A. Maxim mc-si...@ya.ru writes:
It would be more interesting to run klist -e after attempting to contact
the server, so that you can see what the encryption type of the service
ticket for the NFS server was.
on client:
root@debian:~# kinit -k nfs/debian.sag.local
Russ Allbery r...@debian.org писал(а) в своём письме Tue, 15 Nov 2011
09:54:29 +0400:
Kramarenko A. Maxim mc-si...@ya.ru writes:
It would be more interesting to run klist -e after attempting to
contact
the server, so that you can see what the encryption type of the service
ticket for the
Kramarenko A. Maxim mc-si...@ya.ru writes:
root@debian:~# klist -e /tmp/krb5cc_machine_SAG.LOCAL
Ticket cache: FILE:/tmp/krb5cc_machine_SAG.LOCAL
Default principal: nfs/debian.sag.local@SAG.LOCAL
Valid starting ExpiresService principal
11/15/11 11:07:25 11/15/11 21:07:28
Russ Allbery r...@debian.org писал(а) в своём письме Tue, 15 Nov 2011
11:21:05 +0400:
Kramarenko A. Maxim mc-si...@ya.ru writes:
The only thing that I can think of at this point is that the underlying
GSS-API implementation behind rpc.svcgssd isn't supporting arcfour-hmac
for some reason.
14 matches
Mail list logo