10:31 a.m.
Hello,
I try to enable des3-cbc-sha1 encryption type for a nfs service on a linux Centos-7
nfs-server that is enrolled with a ipa 4.6.4 server
I have allow_weak_crypto = true in my keytab.conf on the nfs server.
To check permitted encryption types I do on the nfs server:
$ipa-getkeytab --permitted-enctypes
Supported encryption types:
AES-256 CTS mode with 96-bit SHA-1 HMAC
AES-128 CTS mode with 96-bit SHA-1 HMAC
AES-256 CTS mode with 192-bit SHA-384 HMAC
AES-128 CTS mode with 128-bit SHA-256 HMAC
Triple DES cbc mode with HMAC/sha1
ArcFour with HMAC/md5
Camellia-128 CTS mode with CMAC
Camellia-256 CTS mode with CMAC
DES cbc mode with CRC-32
DES cbc mode with RSA-MD5
DES cbc mode with RSA-MD4
when:
$ ipa-getkeytab -p nfs/myhost.mydomain@MYDOMAIN —e des3-cbc-sha1 -k /etc/krb5.keytab
I get: Keytab successfully retrieved and stored in: /etc/krb5.keytab
However when checking I only see "aes" encryption types are optained.
klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 host/myhost.mydomain@MYDOMAIN (aes256-cts-hmac-sha1-96)
1 host/myhost.mydomain@MYDOMAIN (aes128-cts-hmac-sha1-96)
4 nfs/myhost.mydomain@MYDOMAIN (aes128-cts-hmac-sha1-96)
4 nfs/rmyhost.mydomain@MYDOMAIN (aes256-cts-hmac-sha1-96)
Not shure what I am doing wrong here.
I would like to experiment with weak encryption type to see if it's possible to mount
a kereberized nfs share on a Apple computer
running osx 10.13
If I read the documentation well Apple supports: OS X NFS RPCSEC_GSS supports:
des-cbc-crc, des-cbc-md4, des-cbc-md5, des3-cbc-sha1.
nfs version 3
Thanks for any help.
Rob.
3:17 p.m.
New subject: encrytion type "Triple DES cbc mode with HMAC/sha1" ipa-getkeytab not granted by ipa 4.6.4 server
Rob van Halteren via FreeIPA-users wrote:
Hello,
I try to enable des3-cbc-sha1 encryption type for a nfs service on a linux Centos-7
nfs-server that is enrolled with a ipa 4.6.4 server
I have allow_weak_crypto = true in my keytab.conf on the nfs server.
To check permitted encryption types I do on the nfs server:
$ipa-getkeytab --permitted-enctypes
Supported encryption types:
AES-256 CTS mode with 96-bit SHA-1 HMAC
AES-128 CTS mode with 96-bit SHA-1 HMAC
AES-256 CTS mode with 192-bit SHA-384 HMAC
AES-128 CTS mode with 128-bit SHA-256 HMAC
Triple DES cbc mode with HMAC/sha1
ArcFour with HMAC/md5
Camellia-128 CTS mode with CMAC
Camellia-256 CTS mode with CMAC
DES cbc mode with CRC-32
DES cbc mode with RSA-MD5
DES cbc mode with RSA-MD4
when:
$ ipa-getkeytab -p nfs/myhost.mydomain@MYDOMAIN —e des3-cbc-sha1 -k /etc/krb5.keytab
I get: Keytab successfully retrieved and stored in: /etc/krb5.keytab
However when checking I only see "aes" encryption types are optained.
> klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 host/myhost.mydomain@MYDOMAIN (aes256-cts-hmac-sha1-96)
1 host/myhost.mydomain@MYDOMAIN (aes128-cts-hmac-sha1-96)
4 nfs/myhost.mydomain@MYDOMAIN (aes128-cts-hmac-sha1-96)
4 nfs/rmyhost.mydomain@MYDOMAIN (aes256-cts-hmac-sha1-96)
Not shure what I am doing wrong here.
I would like to experiment with weak encryption type to see if it's possible to mount
a kereberized nfs share on a Apple computer
running osx 10.13
If I read the documentation well Apple supports: OS X NFS RPCSEC_GSS supports:
des-cbc-crc, des-cbc-md4, des-cbc-md5, des3-cbc-sha1.
nfs version 3
Thanks for any help.
This is going to sound nuts but can you try the -e des3-cbc-sha1 after
the keytab?
It looks like popt may not be picking up the -e in all cases. I've got a
very weird reproducer on my system and its completely baffling.
rob
4:40 a.m.
New subject: encrytion type "Triple DES cbc mode with HMAC/sha1" ipa-getkeytab not granted by ipa 4.6.4 server
Thanks for responding.
Solved it. It’s not ipa but my own fault.
found in my command string: "ipa-getkeytab -p nfs/myhost.mydomain@MYDOMAIN -k
/etc/krb5.keytab —e des3-cbc-sha1” that the “-“ before the "e des3-cbc-sha"1
was not a real “-"
wrong and therfore bypassed: —e des3-cbc-sha1
correct and accepted: -e des3-cbc-sha1
Regards,
Rob.
<http://www.linkedin.com/company/filmmore-amsterdam/>
On 2 dec. 2020, at 22:17, Rob Crittenden <rcritten(a)redhat.com>
wrote:
Rob van Halteren via FreeIPA-users wrote:
> Hello,
>
> I try to enable des3-cbc-sha1 encryption type for a nfs service on a linux Centos-7
nfs-server that is enrolled with a ipa 4.6.4 server
> I have allow_weak_crypto = true in my keytab.conf on the nfs server.
>
> To check permitted encryption types I do on the nfs server:
> $ipa-getkeytab --permitted-enctypes
> Supported encryption types:
> AES-256 CTS mode with 96-bit SHA-1 HMAC
> AES-128 CTS mode with 96-bit SHA-1 HMAC
> AES-256 CTS mode with 192-bit SHA-384 HMAC
> AES-128 CTS mode with 128-bit SHA-256 HMAC
> Triple DES cbc mode with HMAC/sha1
> ArcFour with HMAC/md5
> Camellia-128 CTS mode with CMAC
> Camellia-256 CTS mode with CMAC
> DES cbc mode with CRC-32
> DES cbc mode with RSA-MD5
> DES cbc mode with RSA-MD4
>
> when:
> $ ipa-getkeytab -p nfs/myhost.mydomain@MYDOMAIN —e des3-cbc-sha1 -k
/etc/krb5.keytab
>
> I get: Keytab successfully retrieved and stored in: /etc/krb5.keytab
>
> However when checking I only see "aes" encryption types are optained.
>
>> klist -ke
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
> 1 host/myhost.mydomain@MYDOMAIN (aes256-cts-hmac-sha1-96)
> 1 host/myhost.mydomain@MYDOMAIN (aes128-cts-hmac-sha1-96)
> 4 nfs/myhost.mydomain@MYDOMAIN (aes128-cts-hmac-sha1-96)
> 4 nfs/rmyhost.mydomain@MYDOMAIN (aes256-cts-hmac-sha1-96)
>
> Not shure what I am doing wrong here.
>
> I would like to experiment with weak encryption type to see if it's possible to
mount a kereberized nfs share on a Apple computer
> running osx 10.13
> If I read the documentation well Apple supports: OS X NFS RPCSEC_GSS supports:
des-cbc-crc, des-cbc-md4, des-cbc-md5, des3-cbc-sha1.
> nfs version 3
>
> Thanks for any help.
This is going to sound nuts but can you try the -e des3-cbc-sha1 after
the keytab?
It looks like popt may not be picking up the -e in all cases. I've got a
very weird reproducer on my system and its completely baffling.
rob
1238
days inactive
1239
days old
freeipa-users@lists.fedorahosted.org
2 comments
2 participants
participants (2)
-
Rob Crittenden -
Rob van Halteren