On Thu, 2012-02-23 at 22:05 -0500, Rob Crittenden wrote:
> We noticed that older client machines couldn't join FreeIPA 2.1.90 
> servers running KDC 1.90. It was failing to return a ticket for DES so 
> the whole keytab request was failing.
> I changed it so failures are acceptable as long as one requested type is 
> returned.
> I wasn't able to get my KDC to actually return a DES key despite 
> enabling weak crypto and adding the des enctypes. Not sure if this is a 
> problem on my end or not. I used RHEL 5 as the client.

The problem is that the authoritative list for the IPA server is in

In there there are 2 multivalue attributes: krbDefaultEncSaltTypes and

You need to add any enctype you want 'supported' in that list.
You may have to restart DS after you change those values as I don't
remember if we update internal structures on the fly.

On the patch where does the '48' comes from ?


Simo Sorce * Red Hat, Inc * New York

Freeipa-devel mailing list

Reply via email to