OK, so how do i enable des keys on my KDC? I'm running the IPA on RHEL6.2 so 
it's the one from the channel, is it 2.1.4? I don't have the machine infront of 
me so i cant check.
The documentation does not state that you need to enable des keys on the IPA 
while setting up this. It only states that you need to enable allow_weak_crypto 
in krb5.conf
and make sure you export your NFS principal with -e des-cbc-crc .

Från: Simo Sorce [s...@redhat.com]
Skickat: den 7 februari 2012 17:06
Till: Westerlund Johnny
Kopia: freeipa-users@redhat.com
Ämne: Re: [Freeipa-users] IPA and NFS

On Tue, 2012-02-07 at 16:57 +0100, Westerlund Johnny wrote:
> Hey all.
> Left for the day so i'll try and post debug output tomorrow. However i
> think i might have stumbled upon the issue.
> if i do a klist -kte as root, none of the RHEL6.2 machines have a
> des-cbc-crc key in the list, but the RHEL5.7 does.
> The NFS service wich can only use des-cbc-crc can't speak with the KDC
> since that host does not have any keys that supports that encryption.
> So i guess i need to enable allow_weak_crypto in the krb5.conf and
> then update my principal on the hosts with ipa-getkeytab -s <server>
> -p host/hostname.domain@DOMAIN

You may also have to enable des keys on the KDC itself, depending on the
IPA version.

You certainly need *exclusively* DES keys for the nfs/fqdn@REALM key
(due to your old client unfortunately). All nfs keys must use only DES
both on the client and unfortunately also on the server.

However *do not* change the host/ key. You do not need DES keys for that
one, and you'd severely degrade your host security by using DES keys in
your host/fqdn principal.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to