[35905] in Kerberos
Re: Transferring NFSv4 nfs/ keys from KDC to client?
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Thu Mar 20 23:30:41 2014
Date: Thu, 20 Mar 2014 23:30:27 -0400 (EDT)
From: Benjamin Kaduk <kaduk@mit.edu>
To: Wendy Lin <wendlin1974@gmail.com>
In-Reply-To: <CA+j=ERow1xhoCMU8oh7Hp8R2DpCBbHJZvDMsMLkbysG5SFcwzw@mail.gmail.com>
Message-ID: <alpine.GSO.1.10.1403202329100.21026@multics.mit.edu>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED;
BOUNDARY="-559023410-586340586-1395372627=:21026"
Cc: "<kerberos@mit.edu>" <kerberos@mit.edu>
Errors-To: kerberos-bounces@mit.edu
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
---559023410-586340586-1395372627=:21026
Content-Type: TEXT/PLAIN; charset=koi8-r; format=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE
On Thu, 20 Mar 2014, Wendy Lin wrote:
> On 20 March 2014 15:23, Simo Sorce <simo@redhat.com> wrote:
>> On Thu, 2014-03-20 at 14:48 +0100, =CF=CC=D8=C7=C1 =CB=D2=D9=D6=C1=CE=CF=
=D7=D3=CB=C1=D1 wrote:
>>> Can any one confirm, or deny, that using only
>>>
>>> permitted_enctypes =3D "des-cbc-crc"
>>>
>>> will work around the problem?
>>
>> In older kernels the only encryption algorithm supported for NFS is DES,
>> this is a well known limitation.
>>
>>> How can I create such a "des-cbc-crc"
>>> key, if I do not have them yet?
>>
>> You can get a new set of key for the principal using ktadd and passing
>> it -e des-cbc-crc as an option. This will create only a des key for the
>> principal and the KDC will us no other encryption algorithms when
>> releasing tickets for the principal to other clients.
>
> It does not work:
> ktadd -e des-cbc-crc testuser
> ktadd: Invalid argument while parsing keysalts des
As documented at=20
http://web.mit.edu/kerberos/krb5-latest/doc/admin/admin_commands/kadmin_loc=
al.html#ktadd=20
, the argument to the -e flag is an enctype:salt pair, e.g.,=20
des-cbc-crc:normal.
-Ben
---559023410-586340586-1395372627=:21026
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
---559023410-586340586-1395372627=:21026--
