[Freeipa-users] IPA and NFS
Simo Sorce
simo at redhat.com
Tue Feb 7 16:06:36 UTC 2012
On Tue, 2012-02-07 at 16:57 +0100, Westerlund Johnny wrote:
> Hey all.
>
> Left for the day so i'll try and post debug output tomorrow. However i
> think i might have stumbled upon the issue.
>
> if i do a klist -kte as root, none of the RHEL6.2 machines have a
> des-cbc-crc key in the list, but the RHEL5.7 does.
> The NFS service wich can only use des-cbc-crc can't speak with the KDC
> since that host does not have any keys that supports that encryption.
> So i guess i need to enable allow_weak_crypto in the krb5.conf and
> then update my principal on the hosts with ipa-getkeytab -s <server>
> -p host/hostname.domain at DOMAIN
You may also have to enable des keys on the KDC itself, depending on the
IPA version.
You certainly need *exclusively* DES keys for the nfs/fqdn at REALM key
(due to your old client unfortunately). All nfs keys must use only DES
both on the client and unfortunately also on the server.
However *do not* change the host/ key. You do not need DES keys for that
one, and you'd severely degrade your host security by using DES keys in
your host/fqdn principal.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list