Simo Sorce wrote:
On Fri, 2012-02-24 at 08:57 -0500, Rob Crittenden wrote:
Simo Sorce wrote:
On Thu, 2012-02-23 at 22:05 -0500, Rob Crittenden wrote:
We noticed that older client machines couldn't join FreeIPA 2.1.90
servers running KDC 1.90. It was failing to return a ticket for DES so
the whole keytab request was failing.
I changed it so failures are acceptable as long as one requested type is
returned.
I wasn't able to get my KDC to actually return a DES key despite
enabling weak crypto and adding the des enctypes. Not sure if this is a
problem on my end or not. I used RHEL 5 as the client.
The problem is that the authoritative list for the IPA server is in
cn=REALM.NAME,cn=kerberos,$suffix
In there there are 2 multivalue attributes: krbDefaultEncSaltTypes and
krbSupportedEncSaltTypes.
You need to add any enctype you want 'supported' in that list.
You may have to restart DS after you change those values as I don't
remember if we update internal structures on the fly.
Restarting the KDC did it. I disabled arcfour and now I see two failed
cert types from RHEL 5:
$ ipa-getkeytab -s doberman.example.com -p test/zeus.example.com -k
/tmp/test.kt
Failed to retrieve encryption type ArcFour with HMAC/md5 (#23)
Failed to retrieve encryption type DES cbc mode with CRC-32 (#1)
Keytab successfully retrieved and stored in: /tmp/test.kt
On the patch where does the '48' comes from ?
Completely arbitrarily trying to keep error on a single line (similar to
the list of supported enctypes truncating at 79).
I do not like this much, but it is just an error message so ACK.
Simo.krb5_enctype_to_string
I switch it to use 79 and be consistent with other uses of
krb5_enctype_to_string()
pushed to master and ipa-2-2
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
