I'm pretty sure this doesn't work.
I've created the nfs/client.host.name and exported it via ipa-getkeytab -s 
<server> -p nfs/client.host.name -e des-cbc-crc.
enabled secure nfs in /etc/sysconfig/nfs
Then i did the same with the server. Create the nfs/server.host.name nad export 
via ipa-getkeytab -s <server> -p nfs/server.host.name -e des-cbc-crc.
And also enable secure nfs

I'll send an update when i have time to look at this again. But i'm pretty sure 
that it didnt work.

Från: Simo Sorce [s...@redhat.com]
Skickat: den 7 februari 2012 17:35
Till: Westerlund Johnny
Kopia: freeipa-users@redhat.com
Ämne: Re: SV: [Freeipa-users] IPA and NFS

On Tue, 2012-02-07 at 17:10 +0100, Westerlund Johnny wrote:
> OK, so how do i enable des keys on my KDC? I'm running the IPA on RHEL6.2 so 
> it's the one from the channel, is it 2.1.4? I don't have the machine infront 
> of me so i cant check.
> The documentation does not state that you need to enable des keys on the IPA 
> while setting up this. It only states that you need to enable 
> allow_weak_crypto in krb5.conf
> and make sure you export your NFS principal with -e des-cbc-crc .

2.1.x still did not disable DES keys by default, so you should be
already all set since you changed the 'allow weak crypto' parameter in
krb5.conf on the server.

Now all you need to do is to get a nfs/fqdn keytab that uses only DES
keys for your NFS server as well for the clients.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to