[Andreas B. Mundt]
> For kerberized NFSv4 on squeeze 6.0.4 you need:
>
> [libdefaults]
> permitted_enctypes = des-cbc-crc
> allow_weak_crypto = true
This setting broke Kerberos authentication using pam_sss. I found
lines like this in the server kdc.log:
Jan 31 15:26:42 tjener.intern krb5kdc[16339](info): AS_REQ (4 etypes
{18 17 16 23}) 10.0.15.1: NEEDED_PREAUTH: pere@INTERN for
krbtgt/INTERN@INTERN, Additional pre-authentication required
I then looked up what the etypes meant, and found
<URL: http://pig.made-it.com/kerberos-etypes.html > mapping IDs to
names.
By adding the names for 16-18,23 to krb5.conf on the KDC I was able to
get pam_sss working again. The result looked like this:
[libdefaults]
permitted_enctypes = des-cbc-crc rc4-hmac des3-cbc-sha1-kd
aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
allow_weak_crypto = true
I'm not sure which of these etypes should be listed, nor the other
consequence of listing them like this, but thought it best to mention
it here.
Is this a good solution? Which of the etypes should one permit? Will
any of them cause problems with NFSv4 or other systems?
--
Happy hacking
Petter Reinholdtsen
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: http://lists.debian.org/[email protected]
