On ti, 07 heinä 2020, lovepreetdeol via FreeIPA-users wrote:
Hi, Running freeIPA server on centos 8.2. Trying to setup mixed OS environment with linux and windows clients. Another centos8.2 machine connects to freeIPA without any problem. I am trying to connect a windows 10 client to the freeIPA and getting the following error :
This (enrolling Windows system to IPA) is not supported.
Your problem is different, though.
[root@directory ~]# [root@directory ~]# ipa-getkeytab -s directory.compnet.local -p host/win10.compnet.local -e arcfour-hmac -k krb5.keytab.win10 -P New Principal Password: Verify Principal Password: Failed to parse result: All enctypes provided are unsupported Retrying with pre-4.0 keytab retrieval method... Failed to parse result: All enctypes provided are unsupported Failed to get keytab! Failed to get keytab [root@directory ~]#
In RHEL 8.2 (and earlier, starting with Fedora 30) MIT Kerberos started to deprecate RC4-HMAC encryption type. It is weak. FreeIPA 4.8.2+ changed the code to prevent generation of RC4-HMAC keys for all principals but cifs/..., so this is what you see above. https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-controller.html#changes-to-ldap-plugins This is also documented in RHEL 8 documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/configuring_and_managing_identity_management/index#enabling-the-aes-encryption-type-in-active-directory-using-a-gpo_setting-up-samba-on-an-idm-domain-member -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org