Darran Lofthouse wrote:
On 05/31/2012 03:17 PM, Simo Sorce wrote:
I think you may need to download "Java Cryptography Extension (JCE)
Unlimited Strength Jurisdiction Policy Files 7"
Apparently AES is not fully supported unless you have the JCE which is
not distributed by default due to restrictions on export as far as I can
Thank you for your reply Simo, I have actually been testing this both
with and without the unlimited strength policy - the error message is
the same in both cases, the only difference is that without the policy
in place aes128 is selected instead of aes256.
If you prefer to restrict your self to rc4-hmac, see the ipa-getkeytab
man page on how to explicitly request a set of enctypes on a new keytab.
Please remember that running ipa-getkeytab will invalidate your previous
Also to clarify at this stage I am supplying a username and password in
the client - I wanted to get that working first before switching it to a
You might want to check the KDC logs to see if it has any more details
on the failure.
Freeipa-users mailing list