Notes on NFSv4 experiments

posted May 17, 2011, 9:55 AM by William Shallum [ updated May 17, 2011, 10:26 AM ]

Today was a public holiday so spent the time with xen-tools in Debian Squeeze, setting up 4 VMs on an Atom PC. Not bad. They idle well at least.

Notes:

In /etc/exports there must be at least one export with fsid=0. This is the root of the exports hierarchy. See: http://www.vanemery.com/Linux/NFSv4/NFSv4-no-rpcsec.html#pseudofs

On the NFS server, the nfs/<hostname> key in the keytab needs to be of type des-cbc-crc. There should be no other key types in the keytab for nfs/<hostname>. See: http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html

To check:

do clients need the nfs/<hostname> key? NO the client can use host/<hostname> instead. Doesn't seem to be any restrictions on alternative key types although I haven't checked what would happen if the des-cbc-crc key was deleted from the client's keytab.
is the option allow_weak_crypto=true in /etc/krb5.conf really necessary? YES, both on the client and server. des-cbc-crc is weak crypto.
are there any alternatives to setting allow_weak_crypto to true?

William Shallum

William Shallum	Search this site