Transferring NFSv4 nfs/ keys from KDC to client?
Benjamin Kaduk
kaduk at MIT.EDU
Thu Mar 20 23:30:27 EDT 2014
On Thu, 20 Mar 2014, Wendy Lin wrote:
> On 20 March 2014 15:23, Simo Sorce <simo at redhat.com> wrote:
>> On Thu, 2014-03-20 at 14:48 +0100, ольга крыжановская wrote:
>>> Can any one confirm, or deny, that using only
>>>
>>> permitted_enctypes = "des-cbc-crc"
>>>
>>> will work around the problem?
>>
>> In older kernels the only encryption algorithm supported for NFS is DES,
>> this is a well known limitation.
>>
>>> How can I create such a "des-cbc-crc"
>>> key, if I do not have them yet?
>>
>> You can get a new set of key for the principal using ktadd and passing
>> it -e des-cbc-crc as an option. This will create only a des key for the
>> principal and the KDC will us no other encryption algorithms when
>> releasing tickets for the principal to other clients.
>
> It does not work:
> ktadd -e des-cbc-crc testuser
> ktadd: Invalid argument while parsing keysalts des
As documented at
http://web.mit.edu/kerberos/krb5-latest/doc/admin/admin_commands/kadmin_local.html#ktadd
, the argument to the -e flag is an enctype:salt pair, e.g.,
des-cbc-crc:normal.
-Ben
More information about the Kerberos
mailing list