Q3: Why doesn't my keytab with Triple-DES work?

Q: Why doesn't my keytab work with Triple-DES?

A: Not all Kerberos implementations support Triple-DES. Solaris does, but neither of Linux nor Data ONTAP do.

If Kerberized access is not working, and non-Kerberized access is, then check out your keytab to see if Single-DES is supported. I know of 3 ways to help fix this problem:

• Regenerate your keytab with DES support.
  • Either remove Triple-DES,
  • Or make sure DES is first. Some implementations will not work correctly if Triple-DES is first.
• The TGS ticket enc types can be restricted on the client by changing the krb5.conf file to set the option default_tgs_enctypes to something like: des-cbc-crc.
• Recreate the server's nfs principal to only include the single des enctype.

Posted at 11:23PM Mar 04, 2006 by tdh in FAQ  |  Comments[0]