On Wed, 2012-10-03 at 13:26 -0400, Steve Dickson wrote: > Hello, > > These issues were found at this Fall's Bake-a-ton... > > On 03/10/12 13:02, Chuck Lever wrote: > > > > Free IPA does not support weak crypto > > https://bugzilla.linux-nfs.org/show_bug.cgi?id=229
DES support is disabled on purpose, IETF also has an RFC approved that finally says DES *should* not be made available anymore. DES can be cracked in a matter of hours these days which makes its use questionable. DES can be re-enabled manually by twisting a bunch of knobs if you really want to. (including enable weak crypto in krb5.conf) So I would close as NOTABUG. > > Confusing debugging output when configuring NFS over Kerberos > > https://bugzilla.linux-nfs.org/show_bug.cgi?id=230 Not much we (FreeIPA) can do about this one. GSSAPI error codes can be cryptic at time, but they are returned by libgssapi not FreeIPA. Maybe you can add more meat to the debug on the rpc.svcgssd side by printing out what principal you tried to use. If you can identify for sure what causes the error we can open a bug against MIT and see if there is a chance GSSAPI can properly identify the error. Unfortunately it doesn't help that there are many abstraction layers involved here and sometimes error messages get mangled/lost in the process :-/ (Basically KDC errors -> krb5 protocol level error -> libkrb5 level error -> libgssapi level error -> application) Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel