On pe, 09 kesä 2017, Rob Crittenden via FreeIPA-users wrote:
I have this documented in
Jose and I exchanged some files privately and I think I've narrowed down
the enrollment problem to failing to get a keytab due to the error:
Failed to retrieve encryption type DES cbc mode with CRC-32 (#1)
This is because newer IPA servers don't support DES.
I don't recall the workaround for this but it likely involves enabling
weak crypto support it the KDC, something I'm not sure works these days
(not a bad thing).
I seem to recall I made a patch to ipa-getkeytab eons ago to cause it to
not completely fail as long as one requested key type is retrieved by
ipa-getkeytab but it seems unlikely to have been backported to EL 5 (and
zero chance at this point).
Not sure what to recommend at this point. Enabling DES is not the best idea.
Yes, this is not really for a world of 2017.
You could follow the manual client configuration instructions instead.
That would be a best option.
A keytab can be retrieved on a different machine and supplied to the
CentOS 5 client. One needs to make sure only a specific AES key is
retrieved because CentOS 5 does support AES-128 in backports, I think.
/ Alexander Bokovoy
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org