Rob van Halteren via FreeIPA-users wrote: > Hello, > > I try to enable des3-cbc-sha1 encryption type for a nfs service on a linux > Centos-7 nfs-server that is enrolled with a ipa 4.6.4 server > I have allow_weak_crypto = true in my keytab.conf on the nfs server. > > To check permitted encryption types I do on the nfs server: > $ipa-getkeytab --permitted-enctypes > Supported encryption types: > AES-256 CTS mode with 96-bit SHA-1 HMAC > AES-128 CTS mode with 96-bit SHA-1 HMAC > AES-256 CTS mode with 192-bit SHA-384 HMAC > AES-128 CTS mode with 128-bit SHA-256 HMAC > Triple DES cbc mode with HMAC/sha1 > ArcFour with HMAC/md5 > Camellia-128 CTS mode with CMAC > Camellia-256 CTS mode with CMAC > DES cbc mode with CRC-32 > DES cbc mode with RSA-MD5 > DES cbc mode with RSA-MD4 > > when: > $ ipa-getkeytab -p nfs/myhost.mydomain@MYDOMAIN —e des3-cbc-sha1 -k > /etc/krb5.keytab > > I get: Keytab successfully retrieved and stored in: /etc/krb5.keytab > > However when checking I only see "aes" encryption types are optained. > >> klist -ke > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 host/myhost.mydomain@MYDOMAIN (aes256-cts-hmac-sha1-96) > 1 host/myhost.mydomain@MYDOMAIN (aes128-cts-hmac-sha1-96) > 4 nfs/myhost.mydomain@MYDOMAIN (aes128-cts-hmac-sha1-96) > 4 nfs/rmyhost.mydomain@MYDOMAIN (aes256-cts-hmac-sha1-96) > > Not shure what I am doing wrong here. > > I would like to experiment with weak encryption type to see if it's possible > to mount a kereberized nfs share on a Apple computer > running osx 10.13 > If I read the documentation well Apple supports: OS X NFS RPCSEC_GSS > supports: des-cbc-crc, des-cbc-md4, des-cbc-md5, des3-cbc-sha1. > nfs version 3 > > Thanks for any help.
This is going to sound nuts but can you try the -e des3-cbc-sha1 after the keytab? It looks like popt may not be picking up the -e in all cases. I've got a very weird reproducer on my system and its completely baffling. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
