netapp, nfs, kerberos, and ldap
Mark Dieterich
mkd at cs.brown.edu
Fri Apr 8 19:44:58 EDT 2005
Ahh... So maybe this is my problem. Should I be limiting the
encryption type on my client side? I'm positive that we have limited
the nfs/host service principles to des-cbc-crc, but our client configs
allow stronger encryption types. The clients seem to be getting 3DES
keys. It's actually crashing the rpc.gssd daemon on the client and the
only way we've been able to get everything to work is to have all of our
keys be DES.
I got a private email from someone else on the list that 3DES is a dead
end and that the new standard for encryption will be AES. Should I just
bag getting 3DES running for now? I know we can make things work if we
just stick to DES.
Thanks,
Mark
user wrote:
> Thank you, Jeffrey, for pointing it out.
> Sorry, I didn't make it clear.
>
> It's on the client side, by restricting the requested
> enctypes in the krb5.conf. In our case, the clients
> don't support 3DES encryption.
>
> default_tkt_enctypes = des-cbc-crc
> default_tgs_enctypes = des-cbc-crc
More information about the Kerberos
mailing list