OK, so how do i enable des keys on my KDC? I'm running the IPA on RHEL6.2 so it's the one from the channel, is it 2.1.4? I don't have the machine infront of me so i cant check. The documentation does not state that you need to enable des keys on the IPA while setting up this. It only states that you need to enable allow_weak_crypto in krb5.conf and make sure you export your NFS principal with -e des-cbc-crc .
________________________________________ Från: Simo Sorce [s...@redhat.com] Skickat: den 7 februari 2012 17:06 Till: Westerlund Johnny Kopia: firstname.lastname@example.org Ämne: Re: [Freeipa-users] IPA and NFS On Tue, 2012-02-07 at 16:57 +0100, Westerlund Johnny wrote: > Hey all. > > Left for the day so i'll try and post debug output tomorrow. However i > think i might have stumbled upon the issue. > > if i do a klist -kte as root, none of the RHEL6.2 machines have a > des-cbc-crc key in the list, but the RHEL5.7 does. > The NFS service wich can only use des-cbc-crc can't speak with the KDC > since that host does not have any keys that supports that encryption. > So i guess i need to enable allow_weak_crypto in the krb5.conf and > then update my principal on the hosts with ipa-getkeytab -s <server> > -p host/hostname.domain@DOMAIN You may also have to enable des keys on the KDC itself, depending on the IPA version. You certainly need *exclusively* DES keys for the nfs/fqdn@REALM key (due to your old client unfortunately). All nfs keys must use only DES both on the client and unfortunately also on the server. However *do not* change the host/ key. You do not need DES keys for that one, and you'd severely degrade your host security by using DES keys in your host/fqdn principal. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users