Dear Maintainers my bug report contained the neccessary information to understand the whole problem, but it is quite complex.
FIXING bullseye NFS4 Kerberos with SAMBA Probably debian uses an outdated version of rpc.gssd , SAMBA behaves 100% correctly and someone removed support for weak rpc.gssd encryption from the 5.10 kernel. In short: rpc.gssd wants a nfs/... SPN and SAMBA by default only writes weak encryption keys for nfs/... into a keytab. In SAMBA Kerberos SPNs are based on a UPN and you have to set encryption types for the UPN to let samba export better encryption keys for the SPN: net ads enctypes set root/alpha1.centauri.home 31 The samba behaviour is documented at: https://wiki.samba.org/index.php/Generating_Keytabs POTENTIAL SECURITY PROBLEM Except from the debian rpc.gssd bug, what happens is not a bug but by design. But there is no reasonable error message and backward compatibility is broken. Mount tries to use NFS3 if NFS4 fails. Does this create a security problem? Could a mount without kerberos using NFS3 happen in this case? This would break security completely. Sorry, I never used NFS3. Please close this bug if it does not create a security problem via NFS3. I am going to report the rpc.gssd / SAMBA thing as a different bug. Thanks Jürgen
