>>>>> "Russ" == Russ Allbery <email address hidden> writes:
Russ> Jochen <email address hidden> writes:
>> After upgrading the krb5 libraries to 1.8 I could not mount my
>> Kerberized NFS4 shares. The following error Message is in the
>> syslog for every mount attempt:
>> rpc.gssd: rpcsec_gss: gss_init_sec_context: (major)
>> Unspecified GSS failure. Minor code may provide more information
>> - (minor) Program lacks support for encryption type
>> Switching back to 1.7 fixes this Problem.
Russ> Sounds like NFS v4 doesn't support stronger encryption types
Russ> than DES. You'll need to add:
Russ> allow_weak_crypto = true
Russ> to the [libdefaults] section of your krb5.conf file.
Right. I really think this is a gssd bug: the NFS folks have have
multiple years to implement something stronger than DES. Unlike with
OpenAFS, the protocol has been quite clear; it's purely a matter of
The work around Russ suggests is the right user-level fix. My comments
are more intended to address what the focus should be for the
distributions in terms of fixing this.
We're adding an API to krb5 to fix this for OpenAFS. Because of the way
the API is constructed, it's very difficult for GSSD to actually call