On Fri, 2013-07-12 at 14:51 +0000, Ondrej Valousek wrote:
> Hard to say.
> In general, when dealing w/ nfs & kerberos, I would advise to:
> ● Upgrade to the latest fedora
> ● Make sure idmapper is configured and working fine
> ● Limit krb enctypes to 3des-cbc-crc (not sure if your kernel can
> handle aes keys).
3des makes little sense, it is the least used enctype.
If you want to be backwards compatible with old kernels you'll have to
stick with DES (not 3DES) which is utterly insecure these days.
Otherwise go straight to AES and don't look back.
Support for AES is available since quite a few fedora release and RHEL6
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list