On Thu, 2012-02-23 at 22:05 -0500, Rob Crittenden wrote:
> We noticed that older client machines couldn't join FreeIPA 2.1.90
> servers running KDC 1.90. It was failing to return a ticket for DES so
> the whole keytab request was failing.
> I changed it so failures are acceptable as long as one requested type is
> I wasn't able to get my KDC to actually return a DES key despite
> enabling weak crypto and adding the des enctypes. Not sure if this is a
> problem on my end or not. I used RHEL 5 as the client.
The problem is that the authoritative list for the IPA server is in
In there there are 2 multivalue attributes: krbDefaultEncSaltTypes and
You need to add any enctype you want 'supported' in that list.
You may have to restart DS after you change those values as I don't
remember if we update internal structures on the fly.
On the patch where does the '48' comes from ?
Simo Sorce * Red Hat, Inc * New York
Freeipa-devel mailing list