[Freeipa-users] Problem with Kerberised NFS mount
Simo Sorce
simo at redhat.com
Fri Jul 12 15:31:49 UTC 2013
On Fri, 2013-07-12 at 14:51 +0000, Ondrej Valousek wrote:
> Hard to say.
> In general, when dealing w/ nfs & kerberos, I would advise to:
> ● Upgrade to the latest fedora
> ● Make sure idmapper is configured and working fine
> ● Limit krb enctypes to 3des-cbc-crc (not sure if your kernel can
> handle aes keys).
3des makes little sense, it is the least used enctype.
If you want to be backwards compatible with old kernels you'll have to
stick with DES (not 3DES) which is utterly insecure these days.
Otherwise go straight to AES and don't look back.
Support for AES is available since quite a few fedora release and RHEL6
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list