Hi Again,
Can you please confirm by doing a kernel build e.g. with version
available in bookworm-backports, which would be recent enough with
this enabled make your setup work?
I can now confirm that everything works as expected with a custom kernel
build, as you suggested.
We tested with 6.12 though, but we assume that any kernel with the
config_options you refer to above will work.
For you though I think the following might be relevant to help making
setups with "old" kernel work, would be great if you can confirm that
as well:
https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=9b1f860a3457328a08395651d029a454e0303454
Note that though this only landed in nfs-utils-2-7-1-rc5 and you have
it not available in nfs-utils in Debian bookworm.
I can also confirm that newer nfs-utils fixes this problem from the
client-side with the options suggested, we tested with fedora 41 though:
'allowed-enctypes=aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96'
Available packages
Name : nfs-utils
Epoch : 1
Version : 2.8.1
Release : 7.rc2.fc41
Architecture : x86_64
Download size : 481.0 KiB
Installed size : 1.4 MiB
Handy for testing, since we can manually enforce encryption types
against the server, it wold be handy with a backport of nfs-utils.
But that said the situation in Bookworm might not be optimal for
kerberized NFS setups.
After all our original approach, just to limit the usable keytabs on the
nfs-server will work as well, so this problem is not that severe, but
one have to know about this limitation in Debian, and exact witch
factors that effects one's setup.
So we can conclude that there are at least 3 workarounds for kerberized
nfs-servers running bookworm.
Best Regards,
Jostein Fossheim
