On pe, 09 kesä 2017, Rob Crittenden via FreeIPA-users wrote:
Jose and I exchanged some files privately and I think I've narrowed down
the enrollment problem to failing to get a keytab due to the error:

Failed to retrieve encryption type DES cbc mode with CRC-32 (#1)

This is because newer IPA servers don't support DES.

I don't recall the workaround for this but it likely involves enabling
weak crypto support it the KDC, something I'm not sure works these days
(not a bad thing).
I have this documented in https://vda.li/en/posts/2015/01/02/playing-with-freeipa-ipa-ldap-updater/#enabling-weak-encryption-types-in-freeipa

I seem to recall I made a patch to ipa-getkeytab eons ago to cause it to
not completely fail as long as one requested key type is retrieved by
ipa-getkeytab but it seems unlikely to have been backported to EL 5 (and
zero chance at this point).

Not sure what to recommend at this point. Enabling DES is not the best idea.
Yes, this is not really for a world of 2017.

You could follow the manual client configuration instructions instead.
That would be a best option.

A keytab can be retrieved on a different machine and supplied to the
CentOS 5 client. One needs to make sure only a specific AES key is
retrieved because CentOS 5 does support AES-128 in backports, I think.

/ Alexander Bokovoy
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to