On Thu, 2012-02-23 at 22:05 -0500, Rob Crittenden wrote: > We noticed that older client machines couldn't join FreeIPA 2.1.90 > servers running KDC 1.90. It was failing to return a ticket for DES so > the whole keytab request was failing. > > I changed it so failures are acceptable as long as one requested type is > returned. > > I wasn't able to get my KDC to actually return a DES key despite > enabling weak crypto and adding the des enctypes. Not sure if this is a > problem on my end or not. I used RHEL 5 as the client.
The problem is that the authoritative list for the IPA server is in cn=REALM.NAME,cn=kerberos,$suffix In there there are 2 multivalue attributes: krbDefaultEncSaltTypes and krbSupportedEncSaltTypes. You need to add any enctype you want 'supported' in that list. You may have to restart DS after you change those values as I don't remember if we update internal structures on the fly. On the patch where does the '48' comes from ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel