On Fri, 2013-07-12 at 14:51 +0000, Ondrej Valousek wrote:
> Hard to say.
> In general, when dealing w/ nfs & kerberos, I would advise to:
> ● Upgrade to the latest fedora
> ● Make sure idmapper is configured and working fine
> ● Limit krb enctypes to 3des-cbc-crc (not sure if your kernel can
> handle aes keys).

3des makes little sense, it is the least used enctype.

If you want to be backwards compatible with old kernels you'll have to
stick with DES (not 3DES) which is utterly insecure these days.
Otherwise go straight to AES and don't look back.

Support for AES is available since quite a few fedora release and RHEL6


Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to