On Tue, 2012-02-07 at 16:57 +0100, Westerlund Johnny wrote:
> Hey all.
> Left for the day so i'll try and post debug output tomorrow. However i
> think i might have stumbled upon the issue.
> if i do a klist -kte as root, none of the RHEL6.2 machines have a
> des-cbc-crc key in the list, but the RHEL5.7 does.
> The NFS service wich can only use des-cbc-crc can't speak with the KDC
> since that host does not have any keys that supports that encryption.
> So i guess i need to enable allow_weak_crypto in the krb5.conf and
> then update my principal on the hosts with ipa-getkeytab -s <server>
> -p host/hostname.domain@DOMAIN

You may also have to enable des keys on the KDC itself, depending on the
IPA version.

You certainly need *exclusively* DES keys for the nfs/fqdn@REALM key
(due to your old client unfortunately). All nfs keys must use only DES
both on the client and unfortunately also on the server.

However *do not* change the host/ key. You do not need DES keys for that
one, and you'd severely degrade your host security by using DES keys in
your host/fqdn principal.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to