On Tue, 2012-02-07 at 16:57 +0100, Westerlund Johnny wrote: > Hey all. > > Left for the day so i'll try and post debug output tomorrow. However i > think i might have stumbled upon the issue. > > if i do a klist -kte as root, none of the RHEL6.2 machines have a > des-cbc-crc key in the list, but the RHEL5.7 does. > The NFS service wich can only use des-cbc-crc can't speak with the KDC > since that host does not have any keys that supports that encryption. > So i guess i need to enable allow_weak_crypto in the krb5.conf and > then update my principal on the hosts with ipa-getkeytab -s <server> > -p host/hostname.domain@DOMAIN
You may also have to enable des keys on the KDC itself, depending on the IPA version. You certainly need *exclusively* DES keys for the nfs/fqdn@REALM key (due to your old client unfortunately). All nfs keys must use only DES both on the client and unfortunately also on the server. However *do not* change the host/ key. You do not need DES keys for that one, and you'd severely degrade your host security by using DES keys in your host/fqdn principal. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
