[23688] in Kerberos
Re: netapp, nfs, kerberos, and ldap
daemon@ATHENA.MIT.EDU (Mark Dieterich)
Fri Apr 8 19:45:38 2005
Message-ID: <4257177A.4010200@cs.brown.edu>
Date: Fri, 08 Apr 2005 19:44:58 -0400
From: Mark Dieterich <mkd@cs.brown.edu>
MIME-Version: 1.0
To: coadyho@yahoo.com
In-Reply-To: <425688B2.4050300@yahoo.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
Ahh... So maybe this is my problem. Should I be limiting the
encryption type on my client side? I'm positive that we have limited
the nfs/host service principles to des-cbc-crc, but our client configs
allow stronger encryption types. The clients seem to be getting 3DES
keys. It's actually crashing the rpc.gssd daemon on the client and the
only way we've been able to get everything to work is to have all of our
keys be DES.
I got a private email from someone else on the list that 3DES is a dead
end and that the new standard for encryption will be AES. Should I just
bag getting 3DES running for now? I know we can make things work if we
just stick to DES.
Thanks,
Mark
user wrote:
> Thank you, Jeffrey, for pointing it out.
> Sorry, I didn't make it clear.
>
> It's on the client side, by restricting the requested
> enctypes in the krb5.conf. In our case, the clients
> don't support 3DES encryption.
>
> default_tkt_enctypes = des-cbc-crc
> default_tgs_enctypes = des-cbc-crc
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos