Hello,
after latest updates of Fedora I notices kdc.conf.rpmnew was created suggesting new encryption types and enabling preauth. So I addedd these configuration parameters into my kdc.conf.
Immediately I started having problems with logins because I did not have preauth flag on the user principals. I added them and everything started working.
Thereafter I rebooted a nfs client which was not able to authenicate. I suspected it was due to preauth. So I updated the key to support aes256-cts-hmac-sha284-192 and genereated new keytab for one nfs client and nfs server of host/ and nfs/ principals with preauth enabled. But I ended up with the client also not able to mount the volume with permission denied. So I decided to comment out the preauth thing in the kdc.conf and disabled preauth on nfs/ and host/ principals and regenereted the secrets and keytabs. Same problem. Strange thing is I have 3 other nfs clients I did not touch and 2 of them are working and 1 is not also with permission denied.
Could you please guide me what did I did wrong? There should be something I missed but I cannot imagine what. Mainly the other clients I did not touch is a mystery. How is it possible the behavior is not consistent over them? If all would not work or all work it would be more comprehensive. I am pretty sure all the related configurations are the same on the clients except of keytabs. On clients I did not touch I have keys for aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, camellia256-cts-cmac, camellia128-cts-cmac. For the client I touched and the server I have aal these plus aes256-cts-hmac-sha384-192 and aes128-cts-hmac-sha256-128. All the encryption types are allowed in kdc.conf and in crypto-policies.
I noticed also some inconsisten behavior on ssh, but again different results between different hosts. It mostly works, but sometimes with error about KDC encryption type 20 not supported, but login from non-working machine I did not touch to non-working machine I touched results in password prompt. I do not get errors on nfs logins.
Thanks for suggestions.
Marek