I thought I'd post a quick tip for anyone upgrading a set of clients in a kerberized NFSv4 network. I'm in the process of pushing out CentOS 6 to a cluster currently supported by NFSv4 on CentOS 5 and my standard "setup krb5/nfsv4 client" script didn't leave me with a working client. Instead, I got this error on the NFS server every time I attempted the NFS mount:
gss_kerberos_mech: unsupported algorithm 6
gss_kerberos_mech: unsupported algorithm 23
Some advice pointed out that the keytab might need to be written out without the newer key types, but attempting to limit to des-cbc-crc did not fix the problem.
Instead, I found that the following settings in the [libdefaults] section of /etc/krb5.conf fixed my environment:
[libdefaults] # cventers: These overrides are TEMPORARY until we have abandoned CentOS 5 default_tgs_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 arcfour-hmac-exp default_tkt_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 arcfour-hmac-exp permitted_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 arcfour-hmac-exp allow_weak_crypto = true