November 2011 Archives

I thought I'd post a quick tip for anyone upgrading a set of clients in a kerberized NFSv4 network. I'm in the process of pushing out CentOS 6 to a cluster currently supported by NFSv4 on CentOS 5 and my standard "setup krb5/nfsv4 client" script didn't leave me with a working client. Instead, I got this error on the NFS server every time I attempted the NFS mount:

gss_kerberos_mech: unsupported algorithm 6

or

gss_kerberos_mech: unsupported algorithm 23

Some advice pointed out that the keytab might need to be written out without the newer key types, but attempting to limit to des-cbc-crc did not fix the problem.

Instead, I found that the following settings in the [libdefaults] section of /etc/krb5.conf fixed my environment:

[libdefaults]
 # cventers: These overrides are TEMPORARY until we have abandoned CentOS 5
 default_tgs_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 arcfour-hmac-exp
 default_tkt_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 arcfour-hmac-exp
 permitted_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 arcfour-hmac-exp
 allow_weak_crypto = true