Simo Sorce wrote:
On Fri, 2012-02-24 at 08:57 -0500, Rob Crittenden wrote:
Simo Sorce wrote:
On Thu, 2012-02-23 at 22:05 -0500, Rob Crittenden wrote:
We noticed that older client machines couldn't join FreeIPA 2.1.90
servers running KDC 1.90. It was failing to return a ticket for DES so
the whole keytab request was failing.

I changed it so failures are acceptable as long as one requested type is

I wasn't able to get my KDC to actually return a DES key despite
enabling weak crypto and adding the des enctypes. Not sure if this is a
problem on my end or not. I used RHEL 5 as the client.

The problem is that the authoritative list for the IPA server is in

In there there are 2 multivalue attributes: krbDefaultEncSaltTypes and

You need to add any enctype you want 'supported' in that list.
You may have to restart DS after you change those values as I don't
remember if we update internal structures on the fly.

Restarting the KDC did it. I disabled arcfour and now I see two failed
cert types from RHEL 5:

$ ipa-getkeytab -s -p test/ -k
Failed to retrieve encryption type ArcFour with HMAC/md5 (#23)
Failed to retrieve encryption type DES cbc mode with CRC-32 (#1)
Keytab successfully retrieved and stored in: /tmp/test.kt

On the patch where does the '48' comes from ?

Completely arbitrarily trying to keep error on a single line (similar to
the list of supported enctypes truncating at 79).

I do not like this much, but it is just an error message so ACK.


I switch it to use 79 and be consistent with other uses of krb5_enctype_to_string()

pushed to master and ipa-2-2


Freeipa-devel mailing list

Reply via email to