On Wed, Oct 28, 2009 at 5:33 PM, Mikhail T. <[email protected]> wrote: > Hello! > > The message at > > http://mailman.mit.edu/pipermail/kerberos/2008-March/013398.html > > warns about using anything but des-cbc-crc for NFS-access on Linux, but > ends with: > > RHEL 5 has MIT 1.6, so the problem shouldn't exist there. > > > I'm currently struggling to make the KRB5-secured NFS-mounts work > between RHEL-5.4 client and a Solaris-8 server. The mounts succeed: > > apdevl:/krbexport on /mnt type nfs (rw,intr,sec=krb5,addr=x.x.x.x) > > but any attempt to access the mounted share (/mnt) is denied. All such > attempts also result in the following messages logged by rpc.gssd on the > client: > > WARNING: Failed to create krb5 context for user with uid 18039 for > server apdevl.dev.pathfinder.com > > Am I right thinking, the problem is due to des-cbc-crc being disabled > realm-wide here? (The DES cipher is deemed too insecure by the network > admins.) Should I still have this problem -- despite running RHEL-5.4? > Any chance, support for stronger ciphers was added to Linux NFS-clients > since RHEL-5.4 was released? > > Thanks a lot! Yours, > > -mi
Yes, if des-cbc-crc is disabled realm-wide then I think you will have problems with Linux NFS. This is not a Kerberos problem. The "problem" I was referring to with the note, "RHEL 5 has MIT 1.6, so the problem shouldn't exist there.", was the necessity of limiting all applications on the client to des-cbc-crc by specifying "default_tgs_enctypes = des-cbc-crc" in /etc/krb5.conf. There is no need to do this for RHEL 5 machines since linux's rpc.gssd and Kerberos have the code to limit the negotiation to only des-cbc-crc for NFS. Unfortunately, the code to support stronger ciphers has not made it into the Linux kernel yet, and I don't have any idea when it will finally make it in. Let me know if you have other questions... K.C. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
