Hey all.

I've been trying to setup kerberized NFS with IPA running on RHEL6.2 and NFS 
running on RHEL5.7.
The documentation states that if you are using an older kernel (like the one in 
RHEL5) you need to use allow_weak_crypto = yes in your krb5.conf and make sure 
you specify -e des-cbc-crc
when exporting your keytab from the IPA server. However things are not working 
out.

I do manage to export a des-cbc-crc key but when trying to mount the NFS share 
from an IPA client on rhel 6.2 it doesnt work.
I have put the allow_weak_crypto = yes in the libdefaults section of my 
krb5.conf on all machines in the domain. And i've tried changing my password 
after that. But it still doesnt work.
I'm unsure what to expect but if i do a klist -e i dont see any des-cbc-crc key 
in my keytab as the user i logged in as.

If i move the NFS server to a RHEL 6.2 the mount from the RHEL6.2 client works 
just fine but then i'm unable to mount the share from the RHEL5.7 client.
If i do a kinit u...@myrealm.bla and check the klist -e i dont have any des-cbc 
keys. I only get the AES ones.

I did find this thread about running rhel5/rhel6 clients but with an AD 
kerberos domain so it's not the same problem. but they do get some of the same 
symptoms.
http://www.spinics.net/lists/linux-nfs/msg22188.html

There they specify default_tgs_enctypes and default_tkt_enctypes to get it 
working.

Anyone here know's whats wrong or what i'm doing wrong?

Regards
Johnny

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to