[Freeipa-users] IPA and NFS
Ondrej Valousek
ondrejv at s3group.cz
Tue Feb 7 14:33:11 UTC 2012
Enable debugging on rpc.gssd and prc.svcgssd daemons and paste the output.
Ondrej
On 02/07/2012 01:11 PM, Westerlund Johnny wrote:
> Hey all.
>
> I've been trying to setup kerberized NFS with IPA running on RHEL6.2 and NFS running on RHEL5.7.
> The documentation states that if you are using an older kernel (like the one in RHEL5) you need to use allow_weak_crypto = yes in your krb5.conf and make sure you specify -e des-cbc-crc
> when exporting your keytab from the IPA server. However things are not working out.
>
> I do manage to export a des-cbc-crc key but when trying to mount the NFS share from an IPA client on rhel 6.2 it doesnt work.
> I have put the allow_weak_crypto = yes in the libdefaults section of my krb5.conf on all machines in the domain. And i've tried changing my password after that. But it still doesnt work.
> I'm unsure what to expect but if i do a klist -e i dont see any des-cbc-crc key in my keytab as the user i logged in as.
>
> If i move the NFS server to a RHEL 6.2 the mount from the RHEL6.2 client works just fine but then i'm unable to mount the share from the RHEL5.7 client.
> If i do a kinit user at MYREALM.BLA and check the klist -e i dont have any des-cbc keys. I only get the AES ones.
>
> I did find this thread about running rhel5/rhel6 clients but with an AD kerberos domain so it's not the same problem. but they do get some of the same symptoms.
> http://www.spinics.net/lists/linux-nfs/msg22188.html
>
> There they specify default_tgs_enctypes and default_tkt_enctypes to get it working.
>
> Anyone here know's whats wrong or what i'm doing wrong?
>
> Regards
> Johnny
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Proud winners of the prestigious Irish Software Exporter Award 2011 from Irish Exporters Association (IEA). Please, refer to our web site for more details regarding the award.
--------
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s).
Please direct any additional queries to: communications at s3group.com.
Thank You.
Silicon and Software Systems Limited. Registered in Ireland no. 378073.
Registered Office: South County Business Park, Leopardstown, Dublin 18
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120207/f8923399/attachment.htm>
More information about the Freeipa-users
mailing list