Newbie nfsv4 debian, netapp

Frédéric Goudal frederic.goudal at ipb.fr
Sat Oct 26 06:40:03 EDT 2013 

Le 25 oct. 2013 à 22:12, Benjamin Kaduk <kaduk at MIT.EDU> a écrit :

> On Fri, 25 Oct 2013, Frédéric Goudal wrote:
> 
>> That's the trail I'm following but with no clear result :
>> 
>> After the mount I have the following 
>> 25/10/2013 14:07:45  26/10/2013 14:07:44  krbtgt/DO.M at DO.M
>> 	Etype (skey, tkt): des-cbc-crc, aes256-cts-hmac-sha1-96 25/10/2013 14:07:45  26/10/2013 14:07:44  nfs/server at DO.M
>> 	Etype (skey, tkt): des-cbc-crc, aes256-cts-hmac-sha1-96 
>> So it seems that the des-cbc-crc is on each.
> 
> No, it does not.  It merely says that the session key is DES, but the service ticket iteslf is encrypted with aes256.  If you have deleted the aes256 key from the NFS server's keytab, the NFS server will be unable to decrypt the service ticket.

Ok. From what I understand, reading the Netapp documentation it does not understend aes.

>> Btw when you write KDB is it KDC or keytab of the netapp filer ?
> 
> The KDB is the key database on the KDC.
> 
> I do not think you said what version of kerberos the KDC is running, but for MIT krb5, this would be (on the NFS server) something like:
> kadmin -k -t /etc/krb5.keytab -p nfs/server at REALM -q 'ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab nfs/server'

There is something I don't undestand here : what I read is that the command you write does add the des key to the krb5.keytab file after identifying with the keytab file on kadmin.
I don't understand where the operation happens on the KDB.

On the other side, I have tryed to create a principal with only the des-cbc-crc key. (addprinc -randkey -e des-cbc-crc:normal nfs/server at REALM)
When I do a getprinc the principal has only this key.

Iif I do a ktadd command, what happens is that it create all the other enctype on the KDB and than write them on the keytab file  
If I do a ktadd -e des-cbc-crc:normal, it adds only the  des key on the keytab file (as shown by a klist command)... but than I can't do a kinit on the nfs/server at REAM using the resulting keytab file.

Well I'm sorry to bother you with that. I have dug for one week on that problem and read tons of docs...  but I'm still a bit lost.

f.g.

More information about the Kerberos mailing list