[Freeipa-users] secure NFSv4 failure after IPA server upgrade
Simo Sorce
simo at redhat.com
Wed Nov 16 19:48:26 UTC 2011
On Wed, 2011-11-16 at 20:44 +0100, Thomas Sailer wrote:
> On 11/16/2011 08:40 PM, Simo Sorce wrote:
> > Are you using DES keys ? In that case you probably need to allow weak
> > crypto on both server and client. Note that if all your server/clients
> > are FC16 and you have no old ones < FC14 or < RHEL 6 then you do not
> > need to force the creation of the nfs/ principal to use only DES keys.
> > Simo.
>
> No. I did not use any -e parameter to ipa-getkeytab, so I got
> aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1 and
> arcfour-hmac. Also, enctype 18 is AFAIK not weak.
>
> I also tried enabling weak crypto, and to use only des keys, but that
> didn't help either.
If you did this on both server and client, then it looks like it is a
nfsd bug, and not a freeipa one.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list