I don't know what's going on with the NFS portion of this, since I don't use NFS at all, but I can tell you a few things about the Kerberos end.
"Kramarenko A. Maxim" <mc-si...@ya.ru> writes: > But in the keytab there are other types of encryption: > root@debian:~# klist -ke > Keytab name: WRFILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 3 nfs/debian.sag.local@SAG.LOCAL (des-cbc-crc) > 3 nfs/debian.sag.local@SAG.LOCAL (des-cbc-md5) > 3 nfs/debian.sag.local@SAG.LOCAL (arcfour-hmac) > 3 nfs/debian.sag.local@SAG.LOCAL (aes256-cts-hmac-sha1-96) > 3 nfs/debian.sag.local@SAG.LOCAL (aes128-cts-hmac-sha1-96) For a Windows 2008r2 Active Directory domain controller, the only enctypes there that are going to work are arcfour-hmac and aes128. (aes256 might as well in some situations, but I think you have to go to some extra work, or maybe it's that a lot of Windows clients don't support them.) > root@debian:~# grep des /etc/krb5.conf > # default_tgs_enctypes = des3-hmac-sha1 > # default_tkt_enctypes = des3-hmac-sha1 > # permitted_enctypes = des3-hmac-sha1 > default_tgs_enctypes = des-cbc-crc > default_tkt_enctypes = des-cbc-crc > permitted_enctypes = des-cbc-crc You generally don't want to set these parameters, although I realize that used to be the case for NFS. The NFS machinery is going to need to support either arcfour-hmac or aes128, since Windows never supported 3DES, and you don't want to use plain DES any more (and it has to be specifically enabled on the Windows side, if they haven't dropped it entirely now). I'm not sure what enctypes the kernel-level support currently implements. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87obwed0tj....@windlord.stanford.edu
