I found out when the keytabs were created DES only for the services. Also in the krb5.conf, we have
[libdefaults]
ticket_lifetime = 600
default_realm = EXAMPLE.COM
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crcit seemed to help
-----------------------------------------
Date: Wed, 6 Apr 2005 13:36:34 -0400 From: Mark Dieterich <[EMAIL PROTECTED]> To: kerberos@mit.edu Subject: netapp, nfs, kerberos, and ldap Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Precedence: list Message: 1
Hi all,
I'm fairly new to the list and pretty much a newbie to kerberos and
ldap, so please be gentle with me ;) First a little background. We are starting a project to transition from NIS to to kerberos and ldap. One of the eventual goals is to offer secure NFS for our linux/solaris clients talking to a NetApp filer. In our test environment, we have a kerberos realm up and running. Our ldap servers are running nicely and talking with the kerberos servers to authenticate any updates for certain kerberos principles. All of our testing to date has been using linux.
Now the problems:
1. The NetApp filer wants to see tickets encrypted with des-cbc-crc. Our kerberos database was initialized with des3-hmac-sha1. We've added des-cbc-crc encrypted tickets for the NFS server and even gone to the point of encrypting our client host principles with des-cbc-crc encryption types. However, it seems that regardless of what we do, all of the cached tickets are ending up with des3-hmac-sha1 encryption, which is causing communication between the linux nfs client and netapp filer to fail. We nuked the kerberos database and reinitialized with des-cgc-crc encryption. In this case, even tickets in the database encrypted with des3-hmac-sha1 are cached on the client with des-cgc-crc encryption. I'm clearly missing something here. I thought that kerberos would provide the least common denominator for encryption type, i.e. we could have our database be encrypted with des3-hmac-sha1, with des-cgc-crc encrypted tickets stored in it. As long as all the tickets for a particular service are des-cgc-crc encrypted, the clients/servers would get des-cgc-crc encrypted tickets. Can you set me straight?
2. I'm missing a piece of the secure NFS puzzle, what handles the authorization? Is this ldap? I know that kerberos handles the authentication portion. If this is the case, our NFS solution would only be as secure as ldap, correct?
I'd be happy to answer any questions you might have.
Thanks!
Mark
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
