FYI I've made an attempt to update this page:
http://wiki.linux-nfs.org/wiki/index.php/Enduser_doc_kerberos
If someone could please take a look and correct any errors I've made that would
be nice.
Some questions:
* should a client have an nfs/<fqdn> principal (it works without)
* Is the "allow_weak_crypto=true" part still correct?
David
--
"Don't worry, you'll be fine; I saw it work in a cartoon once..."
On Tue, May 25, 2010 at 02:24:07PM +0100, David Greaves wrote:
> FYI I've made an attempt to update this page:
> http://wiki.linux-nfs.org/wiki/index.php/Enduser_doc_kerberos
>
> If someone could please take a look and correct any errors I've made that
> would be nice.
>
> Some questions:
> * should a client have an nfs/<fqdn> principal (it works without)
I'm actually not sure what the latest client requires--I thought it
still needed some kind of machine credential on the client.
> * Is the "allow_weak_crypto=true" part still correct?
Yes, unless you're running the very latest (unreleased) upstream kernel
and nfs-utils, which includes support for stronger crypto.
--b.
On Tue, May 25, 2010 at 4:37 PM, J. Bruce Fields <[email protected]> wrote:
>
> On Tue, May 25, 2010 at 02:24:07PM +0100, David Greaves wrote:
> > FYI I've made an attempt to update this page:
> > ? http://wiki.linux-nfs.org/wiki/index.php/Enduser_doc_kerberos
> >
> > If someone could please take a look and correct any errors I've made that
> > would be nice.
> >
> > Some questions:
> > * should a client have an nfs/<fqdn> principal ?(it works without)
>
> I'm actually not sure what the latest client requires--I thought it
> still needed some kind of machine credential on the client.
Kerberos mounts can be done w/o a machine credential, but root (or the
user doing the mount) must obtain credentials somehow. To be
workable, I would think that a keytab of some kind is required (with a
cron using it to keep credentials fresh).
> > * Is the "allow_weak_crypto=true" part still correct?
>
> Yes, unless you're running the very latest (unreleased) upstream kernel
> and nfs-utils, which includes support for stronger crypto.
>
> --b.
> --