netapp, nfs, kerberos, and ldap

Mark Dieterich mkd at cs.brown.edu
Wed Apr 6 13:36:34 EDT 2005 

Hi all,

I'm fairly new to the list and pretty much a newbie to kerberos and
ldap, so please be gentle with me ;)  First a little background.  We are 
starting a project to transition from NIS to to kerberos and ldap.  One of 
the eventual goals is to offer secure NFS for our linux/solaris clients 
talking to a NetApp filer.  In our test environment, we have a kerberos 
realm up and running.  Our ldap servers are running nicely and talking 
with the kerberos servers to authenticate any updates for certain kerberos 
principles.  All of our testing to date has been using linux.

Now the problems:

1.  The NetApp filer wants to see tickets encrypted with des-cbc-crc.
Our kerberos database was initialized with des3-hmac-sha1.  We've added
des-cbc-crc encrypted tickets for the NFS server and even gone to the
point of encrypting our client host principles with des-cbc-crc
encryption types.  However, it seems that regardless of what we do, all
of the cached tickets are ending up with des3-hmac-sha1 encryption,
which is causing communication between the linux nfs client and netapp filer
to fail.  We nuked the kerberos database and reinitialized with
des-cgc-crc encryption.  In this case, even tickets in the database
encrypted with des3-hmac-sha1 are cached on the client with des-cgc-crc
encryption.  I'm clearly missing something here.  I thought that
kerberos would provide the least common denominator for encryption type,
i.e. we could have our database be encrypted with des3-hmac-sha1, with
des-cgc-crc encrypted tickets stored in it.  As long as all the
tickets for a particular service are des-cgc-crc encrypted, the
clients/servers would get des-cgc-crc encrypted tickets.  Can you set me
straight?

2.  I'm missing a piece of the secure NFS puzzle, what handles the
authorization?  Is this ldap?  I know that kerberos handles the
authentication portion.  If this is the case, our NFS solution would
only be as secure as ldap, correct?

I'd be happy to answer any questions you might have.

Thanks!

Mark

More information about the Kerberos mailing list