Re: where can I ask user qns about nfs4?

[steve <steve@steve-ss.com>]

On 06/02/12 17:39, J. Bruce Fields wrote:
> On Sun, Feb 05, 2012 at 12:37:28PM -0500, Jim Rees wrote:
>> Liam Gretton wrote:
>>
>>    On 05/02/2012 14:16, Jim Rees wrote:
>>    >There is a a NFS wiki, and it does have kerberos setup instructions:
>>    >http://wiki.linux-nfs.org/wiki/index.php/Enduser_doc_kerberos
>>    >
>>    >The wiki has mostly been used by developers for developer info but it might
>>    >be a good thing to use it for more general info too.
>>
>>    Thanks, the problem isn't getting NFS with Kerberos to work in
>>    general, it's with AD as the KDC. It seems that NFS still only
>>    accepts DES encrypted Kerberos tickets, and these are specifically
>>    disabled in Windows Server 2008 R2.
>>
>> Wasn't that fixed recently?
> Yes, it supports some AES-based enctypes now, for example.  I wouldn't
> know a better source of the details than
>
> 	git log net/sunrpc/auth_gss/gss_krb5_*
>
> If someone wanted to summarize the situation for the wiki, go for it.
Hi
nfs with arcfour seems OK here with Samba 4. I don't think it's the 
default for AD but your windows admins may be happier with it. I think 
his is the relevant bit:

Kerberos: ENC-TS Pre-authentication succeeded -- HH3$@HH3.SITE using 
arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2012-02-06T19:44:47 starttime: unset endtime: 
2012-02-07T05:44:47 renew till: 2012-02-07T19:44:47
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc, 
des-cbc-md5, des-cbc-md4, using arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok
Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:45421 for 
nfs/hh3.hh3.site@HH3.SITE [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2012-02-06T19:44:47 starttime: 
2012-02-06T19:44:47 endtime: 2012-02-07T05:44:47 renew till: 20

HTH
Steve