netapp, nfs, kerberos, and ldap

user coadyho at yahoo.com
Thu Apr 7 15:24:15 EDT 2005


I found out when the keytabs were created DES only
for the services. Also in the krb5.conf, we have

[libdefaults]
         ticket_lifetime = 600
         default_realm = EXAMPLE.COM
         default_tkt_enctypes = des-cbc-crc
         default_tgs_enctypes = des-cbc-crc

it seemed to help



-----------------------------------------
> 
> Date: Wed, 6 Apr 2005 13:36:34 -0400
> From: Mark Dieterich <mkd at cs.brown.edu>
> To: kerberos at mit.edu
> Subject: netapp, nfs, kerberos, and ldap
> Message-ID: <20050406173634.GA12120 at cs.brown.edu>
> Content-Type: text/plain; charset=us-ascii
> MIME-Version: 1.0
> Precedence: list
> Message: 1
> 
> Hi all,
> 
> I'm fairly new to the list and pretty much a newbie to kerberos and
> ldap, so please be gentle with me ;)  First a little background.  We are 
> starting a project to transition from NIS to to kerberos and ldap.  One of 
> the eventual goals is to offer secure NFS for our linux/solaris clients 
> talking to a NetApp filer.  In our test environment, we have a kerberos 
> realm up and running.  Our ldap servers are running nicely and talking 
> with the kerberos servers to authenticate any updates for certain kerberos 
> principles.  All of our testing to date has been using linux.
> 
> Now the problems:
> 
> 1.  The NetApp filer wants to see tickets encrypted with des-cbc-crc.
> Our kerberos database was initialized with des3-hmac-sha1.  We've added
> des-cbc-crc encrypted tickets for the NFS server and even gone to the
> point of encrypting our client host principles with des-cbc-crc
> encryption types.  However, it seems that regardless of what we do, all
> of the cached tickets are ending up with des3-hmac-sha1 encryption,
> which is causing communication between the linux nfs client and netapp filer
> to fail.  We nuked the kerberos database and reinitialized with
> des-cgc-crc encryption.  In this case, even tickets in the database
> encrypted with des3-hmac-sha1 are cached on the client with des-cgc-crc
> encryption.  I'm clearly missing something here.  I thought that
> kerberos would provide the least common denominator for encryption type,
> i.e. we could have our database be encrypted with des3-hmac-sha1, with
> des-cgc-crc encrypted tickets stored in it.  As long as all the
> tickets for a particular service are des-cgc-crc encrypted, the
> clients/servers would get des-cgc-crc encrypted tickets.  Can you set me
> straight?
> 
> 2.  I'm missing a piece of the secure NFS puzzle, what handles the
> authorization?  Is this ldap?  I know that kerberos handles the
> authentication portion.  If this is the case, our NFS solution would
> only be as secure as ldap, correct?
> 
> I'd be happy to answer any questions you might have.
> 
> Thanks!
> 
> Mark



More information about the Kerberos mailing list