Thanks for responding. Solved it. It’s not ipa but my own fault.
found in my command string: "ipa-getkeytab -p nfs/myhost.mydomain@MYDOMAIN -k /etc/krb5.keytab —e des3-cbc-sha1” that the “-“ before the "e des3-cbc-sha"1 was not a real “-" wrong and therfore bypassed: —e des3-cbc-sha1 correct and accepted: -e des3-cbc-sha1 Regards, Rob. <http://www.linkedin.com/company/filmmore-amsterdam/> > On 2 dec. 2020, at 22:17, Rob Crittenden <[email protected]> wrote: > > Rob van Halteren via FreeIPA-users wrote: >> Hello, >> >> I try to enable des3-cbc-sha1 encryption type for a nfs service on a linux >> Centos-7 nfs-server that is enrolled with a ipa 4.6.4 server >> I have allow_weak_crypto = true in my keytab.conf on the nfs server. >> >> To check permitted encryption types I do on the nfs server: >> $ipa-getkeytab --permitted-enctypes >> Supported encryption types: >> AES-256 CTS mode with 96-bit SHA-1 HMAC >> AES-128 CTS mode with 96-bit SHA-1 HMAC >> AES-256 CTS mode with 192-bit SHA-384 HMAC >> AES-128 CTS mode with 128-bit SHA-256 HMAC >> Triple DES cbc mode with HMAC/sha1 >> ArcFour with HMAC/md5 >> Camellia-128 CTS mode with CMAC >> Camellia-256 CTS mode with CMAC >> DES cbc mode with CRC-32 >> DES cbc mode with RSA-MD5 >> DES cbc mode with RSA-MD4 >> >> when: >> $ ipa-getkeytab -p nfs/myhost.mydomain@MYDOMAIN —e des3-cbc-sha1 -k >> /etc/krb5.keytab >> >> I get: Keytab successfully retrieved and stored in: /etc/krb5.keytab >> >> However when checking I only see "aes" encryption types are optained. >> >>> klist -ke >> Keytab name: FILE:/etc/krb5.keytab >> KVNO Principal >> ---- >> -------------------------------------------------------------------------- >> 1 host/myhost.mydomain@MYDOMAIN (aes256-cts-hmac-sha1-96) >> 1 host/myhost.mydomain@MYDOMAIN (aes128-cts-hmac-sha1-96) >> 4 nfs/myhost.mydomain@MYDOMAIN (aes128-cts-hmac-sha1-96) >> 4 nfs/rmyhost.mydomain@MYDOMAIN (aes256-cts-hmac-sha1-96) >> >> Not shure what I am doing wrong here. >> >> I would like to experiment with weak encryption type to see if it's possible >> to mount a kereberized nfs share on a Apple computer >> running osx 10.13 >> If I read the documentation well Apple supports: OS X NFS RPCSEC_GSS >> supports: des-cbc-crc, des-cbc-md4, des-cbc-md5, des3-cbc-sha1. >> nfs version 3 >> >> Thanks for any help. > > This is going to sound nuts but can you try the -e des3-cbc-sha1 after > the keytab? > > It looks like popt may not be picking up the -e in all cases. I've got a > very weird reproducer on my system and its completely baffling. > > rob >
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
