From: Orion Poplawski <orion@nwra.com>
To: Daniel Kobras <kobras@puzzle-itc.de>
Cc: "linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>
Subject: Re: Trouble with kerberos encryption types
Date: Fri, 9 May 2025 15:03:06 -0600 [thread overview]
Message-ID: <81edb674-2dd7-4ede-887f-40e6177661e8@nwra.com> (raw)
In-Reply-To: <66ebdde2-916c-4984-8aa8-0a659d89acd8@nwra.com>
[-- Attachment #1: Type: text/plain, Size: 1913 bytes --]
On 5/9/25 13:55, Orion Poplawski wrote:
> On 5/9/25 07:21, Daniel Kobras wrote:
>> Hi!
>>
>> Am 07.05.25 um 19:39 schrieb Orion Poplawski:
>>> I tried adding this to the mac without any change:
>>>
>>> [libdefaults]
>>> permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
>>> aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac
>>> camellia128-cts-cmac
>>> default_tgs_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
>>> aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac
>>> camellia128-cts-cmac
>>
>> Those are options for MIT's libkrb5. Unless you're using a non-default stack
>> on the mac, you probably want to use Heimdal's default_etypes, or the more
>> specific default_as_etypes/default_tgs_etypes instead.
>
> I ended up slimming down to:
>
> permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
> default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
> default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
>
> but those are the option names from man krb5.conf on the mac.
I should have trusted you :) - I finally came across this:
https://services.dartmouth.edu/TDClient/1806/Portal/KB/ArticleDet?ID=89203
which has:
default_etypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
and setting that does fix the skey encryption type.
I'm still stuck with the non-renewable ticket that they mention as well, so it
seems like GSSAPI auth from a mac is not very useful.
Thank you very much for your help.
--
Orion Poplawski
he/him/his - surely the least important thing about me
Manager of IT Systems 720-772-5637
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 https://www.nwra.com/
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4087 bytes --]
next prev parent reply other threads:[~2025-05-09 21:03 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-02 17:29 Trouble with multiple kerberos ticket caches Orion Poplawski
2025-05-06 19:54 ` Orion Poplawski
2025-05-07 16:57 ` Daniel Kobras
2025-05-07 17:39 ` Orion Poplawski
2025-05-09 13:21 ` Daniel Kobras
2025-05-09 19:55 ` Trouble with kerberos encryption types Orion Poplawski
2025-05-09 21:03 ` Orion Poplawski [this message]
2025-05-12 15:46 ` Daniel Kobras
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=81edb674-2dd7-4ede-887f-40e6177661e8@nwra.com \
--to=orion@nwra.com \
--cc=kobras@puzzle-itc.de \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox