Jose and I exchanged some files privately and I think I've narrowed down
the enrollment problem to failing to get a keytab due to the error:

Failed to retrieve encryption type DES cbc mode with CRC-32 (#1)

This is because newer IPA servers don't support DES.

I don't recall the workaround for this but it likely involves enabling
weak crypto support it the KDC, something I'm not sure works these days
(not a bad thing).

I seem to recall I made a patch to ipa-getkeytab eons ago to cause it to
not completely fail as long as one requested key type is retrieved by
ipa-getkeytab but it seems unlikely to have been backported to EL 5 (and
zero chance at this point).

Not sure what to recommend at this point. Enabling DES is not the best idea.

You could follow the manual client configuration instructions instead.

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to