[Freeipa-users] Re: Adding Windows 10 client to freeIPA - Error : Failed to parse result: All enctypes provided are unsupported

Tue, 07 Jul 2020 08:11:17 -0700 

On ti, 07 heinä 2020, lovepreetdeol via FreeIPA-users wrote:

Hi,
Running freeIPA server on centos 8.2. Trying to setup mixed OS
environment with linux and windows clients.  Another centos8.2 machine
connects to freeIPA without any problem.
I am trying to connect a windows 10 client to the freeIPA and getting
the following error :



This (enrolling Windows system to IPA) is not supported. 


Your problem is different, though.


[root@directory ~]#
[root@directory ~]# ipa-getkeytab -s directory.compnet.local -p 
host/win10.compnet.local -e arcfour-hmac -k krb5.keytab.win10 -P
New Principal Password:
Verify Principal Password:
Failed to parse result: All enctypes provided are unsupported
Retrying with pre-4.0 keytab retrieval method...
Failed to parse result: All enctypes provided are unsupported
Failed to get keytab!
Failed to get keytab
[root@directory ~]#


In RHEL 8.2 (and earlier, starting with Fedora 30) MIT Kerberos started
to deprecate RC4-HMAC encryption type. It is weak. FreeIPA 4.8.2+
changed the code to prevent generation of RC4-HMAC keys for all
principals but cifs/..., so this is what you see above.

https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-controller.html#changes-to-ldap-plugins

This is also documented in RHEL 8 documentation:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/configuring_and_managing_identity_management/index#enabling-the-aes-encryption-type-in-active-directory-using-a-gpo_setting-up-samba-on-an-idm-domain-member


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org






















					Reply via email to