On 06/01/2012 03:49 PM, Rob Crittenden wrote:
Darran Lofthouse wrote:
On 05/31/2012 03:17 PM, Simo Sorce wrote:
Darran,
I think you may need to download "Java Cryptography Extension (JCE)
Unlimited Strength Jurisdiction Policy Files 7"
See here:
http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html



Apparently AES is not fully supported unless you have the JCE which is
not distributed by default due to restrictions on export as far as I can
understand.

Thank you for your reply Simo, I have actually been testing this both
with and without the unlimited strength policy - the error message is
the same in both cases, the only difference is that without the policy
in place aes128 is selected instead of aes256.

If you prefer to restrict your self to rc4-hmac, see the ipa-getkeytab
man page on how to explicitly request a set of enctypes on a new keytab.
Please remember that running ipa-getkeytab will invalidate your previous
keys.

Also to clarify at this stage I am supplying a username and password in
the client - I wanted to get that working first before switching it to a
keytab.

You might want to check the KDC logs to see if it has any more details
on the failure.

Unfortunately no more detail than in the exception, I think I am at the point where I am going to manually try and re-create that field myself - there have been other reports of incorrect salt selection but that was always against older versions of Java so I think I need to start looking more closely at how the field is actually generated.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to