In Mac OS X Server version 10.5, Apple's Kerberized NFS implementation strictly follows RFC 1964 and as a result only supports single DES encryption. However, Open Directory or other Kerberos environments will often set up multiple keys with differing encryption types. Mac OS X 10.5 clients will only request key types that they support, so the additional key offerings will not cause an issue for Mac OS X clients. However, a non-Mac client of a Mac OS X NFS server could request a session key that the server can not handle. If you are an administrator of such an environment, it will be necessary for you to remove the offending keys from the directory or KDC. This can be done with the kadmin command.
Use the following commands to generate only single DES keys for the server and update the keytab by removing the current keys for the nfs server from the KDC and the keytab then creating a new single DES key and adding it to the keytab.
In the following example, TEST.EXAMPLE.COM is the name of the Kerberos realm, "macos-x-nfs.example.com" is the name of the server, and "adminuser" is the name of a user with administrative access to the KDC. Substitute the correct realm, host and user names for your server in each command.
$ sudo kadmin -r TEST.EXAMPLE.COM -p adminuser/admin@TEST.EXAMPLE.COM
Password:
Authenticating as principal adminuser/admin@TEST.EXAMPLE.COM with password.
Password for adminuser/admin@TEST.EXAMPLE.COM: (adminuser/admin's Kerberos password)
kadmin: get_principal nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM
Principal: nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM
Expiration date: [never]
Last password change: Tue Oct 09 14:56:57 PDT 2007
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Oct 09 14:56:57 PDT 2007 (adminuser/admin@TEST.EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0 Number of keys: 3
Key: vno 3, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 3, ArcFour with HMAC/md5, no salt
Key: vno 3, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]
kadmin: delete_principal nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM
Are you sure you want to delete the principal "nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM"? (yes/no): yes
Principal "nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
kadmin: add_principal -randkey -e des-cbc-crc:normal nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM
WARNING: no policy specified for nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM; defaulting to no policy
Principal "nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM" created.
kadmin: get_principal nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM
Principal: nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM
Expiration date: [never]
Last password change: Tue Oct 09 15:00:38 PDT 2007
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Oct 09 15:00:38 PDT 2007 (adminuser/admin@TEST.EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 2, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]
kadmin: ktremove nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM
Entry for principal nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM with kvno 3 removed from keytab WRFILE:/etc/krb5.keytab.
Entry for principal nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM with kvno 3 removed from keytab WRFILE:/etc/krb5.keytab.
Entry for principal nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM with kvno 3 removed from keytab WRFILE:/etc/krb5.keytab.
kadmin: ktadd -e des-cbc-crc:normal nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM
Entry for principal nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
kadmin: quit
For more information about Kerberized NFS in Mac OS X Server version 10.5, see this article.