[32344] in Kerberos
Re: problem with pam_krb5 4.2-1
daemon@ATHENA.MIT.EDU (Rohit Kumar Mehta)
Fri May 14 18:32:32 2010
Message-ID: <4BEDCFA4.7050102@engr.uconn.edu>
Date: Fri, 14 May 2010 18:33:08 -0400
From: Rohit Kumar Mehta <rohitm@engr.uconn.edu>
MIME-Version: 1.0
To: Russ Allbery <rra@stanford.edu>
In-Reply-To: <87pr0yh2br.fsf@windlord.stanford.edu>
Cc: "Mehta, Rohit" <rohit@engr.uconn.edu>,
"kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
No the KDCs do not have that option set. I did set it on the one client
(which I upgraded to the latest Ubuntu)
I think the best (and most secure) practice would be to regenerate all
the keytabs and the trust, so I'll tackle it next week.
Thanks for your help!
Rohit
Russ Allbery wrote:
> Rohit Kumar Mehta <rohitm@engr.uconn.edu> writes:
>
>
>> Thanks for your help Russ. My keys are indeed only plain DES keys, but
>> I also have allow_weak_crypto set to true. (We're using Kerberized NFS
>> in Linux which I think at this point requires weak crypto)
>>
>
> Is allow_weak_crypto also set on the KDCs involved?
>
>
>> So I guess I will have to generate new keytabs and recreate the trust,
>> and that problem should go away?
>>
>
> You should not need to do any of that if allow_weak_crypto is set.
>
>
--
Rohit Mehta
Computer Engineer
University of Connecticut
Engineering Computing Services
371 Fairfield Road Unit 2031
Storrs, CT 06269-2031
Office: (860) 486 - 2331
Fax: (860) 486 - 1273
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
