I'll assume we are dealing with a Linux NFS client here. The problem
is that the Linux kernel code currently (still) only supports
des-cbc-crc. However, if the nfs service principal is set up correctly
(with only a des key), there should be no need to restrict the enctypes
in krb5.conf. Prob
Mark Dieterich wrote:
> Ahh... So maybe this is my problem. Should I be limiting the
> encryption type on my client side? I'm positive that we have limited
> the nfs/host service principles to des-cbc-crc, but our client configs
> allow stronger encryption types. The clients seem to be getting
Ahh... So maybe this is my problem. Should I be limiting the
encryption type on my client side? I'm positive that we have limited
the nfs/host service principles to des-cbc-crc, but our client configs
allow stronger encryption types. The clients seem to be getting 3DES
keys. It's actually
Thank you, Jeffrey, for pointing it out.
Sorry, I didn't make it clear.
It's on the client side, by restricting the requested
enctypes in the krb5.conf. In our case, the clients
don't support 3DES encryption.
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
user wrote:
> I found out when the keytabs were created DES only
> for the services. Also in the krb5.conf, we have
>
> [libdefaults]
> ticket_lifetime = 600
> default_realm = EXAMPLE.COM
> default_tkt_enctypes = des-cbc-crc
> default_tgs_enctypes = des-cbc-crc
>
-
Date: Wed, 6 Apr 2005 13:36:34 -0400
From: Mark Dieterich <[EMAIL PROTECTED]>
To: kerberos@mit.edu
Subject: netapp, nfs, kerberos, and ldap
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
MIME-Version: 1.0
Precedence: list
Messa
> "Mark" == Mark Dieterich <[EMAIL PROTECTED]> writes:
Mark> encryption. I'm clearly missing something here. I thought
Mark> that kerberos would provide the least common denominator for
Mark> encryption type, i.e. we could have our database be
Mark> encrypted with des3-hmac-s
Hi all,
I'm fairly new to the list and pretty much a newbie to kerberos and
ldap, so please be gentle with me ;) First a little background. We are
starting a project to transition from NIS to to kerberos and ldap. One of
the eventual goals is to offer secure NFS for our linux/solaris clients