Hello, I try to enable des3-cbc-sha1 encryption type for a nfs service on a linux Centos-7 nfs-server that is enrolled with a ipa 4.6.4 server I have allow_weak_crypto = true in my keytab.conf on the nfs server.
To check permitted encryption types I do on the nfs server: $ipa-getkeytab --permitted-enctypes Supported encryption types: AES-256 CTS mode with 96-bit SHA-1 HMAC AES-128 CTS mode with 96-bit SHA-1 HMAC AES-256 CTS mode with 192-bit SHA-384 HMAC AES-128 CTS mode with 128-bit SHA-256 HMAC Triple DES cbc mode with HMAC/sha1 ArcFour with HMAC/md5 Camellia-128 CTS mode with CMAC Camellia-256 CTS mode with CMAC DES cbc mode with CRC-32 DES cbc mode with RSA-MD5 DES cbc mode with RSA-MD4 when: $ ipa-getkeytab -p nfs/myhost.mydomain@MYDOMAIN —e des3-cbc-sha1 -k /etc/krb5.keytab I get: Keytab successfully retrieved and stored in: /etc/krb5.keytab However when checking I only see "aes" encryption types are optained. >klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/myhost.mydomain@MYDOMAIN (aes256-cts-hmac-sha1-96) 1 host/myhost.mydomain@MYDOMAIN (aes128-cts-hmac-sha1-96) 4 nfs/myhost.mydomain@MYDOMAIN (aes128-cts-hmac-sha1-96) 4 nfs/rmyhost.mydomain@MYDOMAIN (aes256-cts-hmac-sha1-96) Not shure what I am doing wrong here. I would like to experiment with weak encryption type to see if it's possible to mount a kereberized nfs share on a Apple computer running osx 10.13 If I read the documentation well Apple supports: OS X NFS RPCSEC_GSS supports: des-cbc-crc, des-cbc-md4, des-cbc-md5, des3-cbc-sha1. nfs version 3 Thanks for any help. Rob. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
