[Freeipa-devel] New Kerberos-related bugzillas
Simo Sorce
simo at redhat.com
Wed Oct 3 17:49:51 UTC 2012
On Wed, 2012-10-03 at 13:26 -0400, Steve Dickson wrote:
> Hello,
>
> These issues were found at this Fall's Bake-a-ton...
>
> On 03/10/12 13:02, Chuck Lever wrote:
> >
> > Free IPA does not support weak crypto
> > https://bugzilla.linux-nfs.org/show_bug.cgi?id=229
DES support is disabled on purpose, IETF also has an RFC approved that
finally says DES *should* not be made available anymore.
DES can be cracked in a matter of hours these days which makes its use
questionable.
DES can be re-enabled manually by twisting a bunch of knobs if you
really want to. (including enable weak crypto in krb5.conf)
So I would close as NOTABUG.
> > Confusing debugging output when configuring NFS over Kerberos
> > https://bugzilla.linux-nfs.org/show_bug.cgi?id=230
Not much we (FreeIPA) can do about this one. GSSAPI error codes can be
cryptic at time, but they are returned by libgssapi not FreeIPA.
Maybe you can add more meat to the debug on the rpc.svcgssd side by
printing out what principal you tried to use.
If you can identify for sure what causes the error we can open a bug
against MIT and see if there is a chance GSSAPI can properly identify
the error. Unfortunately it doesn't help that there are many abstraction
layers involved here and sometimes error messages get mangled/lost in
the process :-/ (Basically KDC errors -> krb5 protocol level error ->
libkrb5 level error -> libgssapi level error -> application)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list