netapp, nfs, kerberos, and ldap
user
coadyho at yahoo.com
Thu Apr 7 15:24:15 EDT 2005
I found out when the keytabs were created DES only
for the services. Also in the krb5.conf, we have
[libdefaults]
ticket_lifetime = 600
default_realm = EXAMPLE.COM
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
it seemed to help
-----------------------------------------
>
> Date: Wed, 6 Apr 2005 13:36:34 -0400
> From: Mark Dieterich <mkd at cs.brown.edu>
> To: kerberos at mit.edu
> Subject: netapp, nfs, kerberos, and ldap
> Message-ID: <20050406173634.GA12120 at cs.brown.edu>
> Content-Type: text/plain; charset=us-ascii
> MIME-Version: 1.0
> Precedence: list
> Message: 1
>
> Hi all,
>
> I'm fairly new to the list and pretty much a newbie to kerberos and
> ldap, so please be gentle with me ;) First a little background. We are
> starting a project to transition from NIS to to kerberos and ldap. One of
> the eventual goals is to offer secure NFS for our linux/solaris clients
> talking to a NetApp filer. In our test environment, we have a kerberos
> realm up and running. Our ldap servers are running nicely and talking
> with the kerberos servers to authenticate any updates for certain kerberos
> principles. All of our testing to date has been using linux.
>
> Now the problems:
>
> 1. The NetApp filer wants to see tickets encrypted with des-cbc-crc.
> Our kerberos database was initialized with des3-hmac-sha1. We've added
> des-cbc-crc encrypted tickets for the NFS server and even gone to the
> point of encrypting our client host principles with des-cbc-crc
> encryption types. However, it seems that regardless of what we do, all
> of the cached tickets are ending up with des3-hmac-sha1 encryption,
> which is causing communication between the linux nfs client and netapp filer
> to fail. We nuked the kerberos database and reinitialized with
> des-cgc-crc encryption. In this case, even tickets in the database
> encrypted with des3-hmac-sha1 are cached on the client with des-cgc-crc
> encryption. I'm clearly missing something here. I thought that
> kerberos would provide the least common denominator for encryption type,
> i.e. we could have our database be encrypted with des3-hmac-sha1, with
> des-cgc-crc encrypted tickets stored in it. As long as all the
> tickets for a particular service are des-cgc-crc encrypted, the
> clients/servers would get des-cgc-crc encrypted tickets. Can you set me
> straight?
>
> 2. I'm missing a piece of the secure NFS puzzle, what handles the
> authorization? Is this ldap? I know that kerberos handles the
> authentication portion. If this is the case, our NFS solution would
> only be as secure as ldap, correct?
>
> I'd be happy to answer any questions you might have.
>
> Thanks!
>
> Mark
More information about the Kerberos
mailing list