Migrating from old krb5/NFSv4 to newer krb5/NFSv4

By Chase Venters on November 11, 2011 | No Comments | No TrackBacks

I thought I'd post a quick tip for anyone upgrading a set of clients in a kerberized NFSv4 network. I'm in the process of pushing out CentOS 6 to a cluster currently supported by NFSv4 on CentOS 5 and my standard "setup krb5/nfsv4 client" script didn't leave me with a working client. Instead, I got this error on the NFS server every time I attempted the NFS mount:

gss_kerberos_mech: unsupported algorithm 6

or

gss_kerberos_mech: unsupported algorithm 23

Some advice pointed out that the keytab might need to be written out without the newer key types, but attempting to limit to des-cbc-crc did not fix the problem.

Instead, I found that the following settings in the [libdefaults] section of /etc/krb5.conf fixed my environment:

[libdefaults]
 # cventers: These overrides are TEMPORARY until we have abandoned CentOS 5
 default_tgs_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 arcfour-hmac-exp
 default_tkt_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 arcfour-hmac-exp
 permitted_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 arcfour-hmac-exp
 allow_weak_crypto = true

Tags:

No TrackBacks

TrackBack URL: http://www.chaseventers.org/cgi-bin/mt/mt-tb.cgi/46

Leave a comment

Search

About this Entry

This page contains a single entry by Chase Venters published on November 11, 2011 12:17 AM.

qpsmtpd plugins was the previous entry in this blog.

Modifying Your Sports Car is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.