Ondrej Valousek wrote:
Three notes:


/export *(rw,sec=krb5,no_subtree_check,no_root_squash)
is better than
/export gss/krb5(rw,no_subtree_check,no_root_squash)

2. Kerberos library is still too picky about reverse DNS records - i.e.
if the reverse DNS does not match the principal name in keytab, you are
most likely to fail.

3. We should still mention the rpc.idmapd settings I think - people are
still used to nfsv3 so this might be confusing to them.

This is good for F-16 (and probably RHEL 6) but it is dated for Fedora.

The ipa-client-automount tool will do all this for a client. It is still an exercise for the user to set up a server.

The mechanism for configuring weak crypto on the server needs work too. We disable DES by default now.


Freeipa-users mailing list

Reply via email to