Newbie nfsv4 debian, netapp
Benjamin Kaduk
kaduk at MIT.EDU
Fri Oct 25 16:12:30 EDT 2013
On Fri, 25 Oct 2013, Frédéric Goudal wrote:
> That's the trail I'm following but with no clear result :
>
> After the mount I have the following
>
> 25/10/2013 14:07:45 26/10/2013 14:07:44 krbtgt/DO.M at DO.M
> Etype (skey, tkt): des-cbc-crc, aes256-cts-hmac-sha1-96
> 25/10/2013 14:07:45 26/10/2013 14:07:44 nfs/server at DO.M
> Etype (skey, tkt): des-cbc-crc, aes256-cts-hmac-sha1-96
>
> So it seems that the des-cbc-crc is on each.
No, it does not. It merely says that the session key is DES, but the
service ticket iteslf is encrypted with aes256. If you have deleted the
aes256 key from the NFS server's keytab, the NFS server will be unable to
decrypt the service ticket.
> Btw when you write KDB is it KDC or keytab of the netapp filer ?
The KDB is the key database on the KDC.
I do not think you said what version of kerberos the KDC is running, but
for MIT krb5, this would be (on the NFS server) something like:
kadmin -k -t /etc/krb5.keytab -p nfs/server at REALM -q 'ktadd -e
des-cbc-crc:normal -k /etc/krb5.keytab nfs/server'
-Ben Kaduk
More information about the Kerberos
mailing list