800542 – Need way to obtain DES keys for older NFS

Bug 800542 - Need way to obtain DES keys for older NFS

Summary: Need way to obtain DES keys for older NFS

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	doc-Identity_Management_Guide
Sub Component:
Version:	6.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Deon Ballard
QA Contact:	ecs-bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-03-06 17:02 UTC by Dmitri Pal
Modified:	2012-06-21 23:15 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-06-21 23:15:09 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Dmitri Pal 2012-03-06 17:02:18 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2471

DES is completely disabled in 2.2 servers. We need a way to be able to generate DES keys at least for older NFS clients and servers.

I tried adding allow_weak_crypto = yes to libdefaults of the IPA server krb5.conf and adding support for the enc type but was still unable to use ipa-getkeytab from a RHEL-5 client.

I added this to LDAP:
dn: cn=$REALM,cn=kerberos,dc=greyoak,dc=com
krbSupportedEncSaltTypes: des-cbc-crc:normal
krbSupportedEncSaltTypes: des-cbc-crc:special
krbDefaultEncSaltTypes: des-cbc-crc:special

Comment 2 Deon Ballard 2012-05-03 16:34:36 UTC

Setting all priority and severity to medium.

Comment 5 Deon Ballard 2012-06-21 23:15:09 UTC

Closing.

Note You need to log in before you can comment on or make changes to this bug.