On 13.11.2014 02:17, Simo Sorce wrote:
> On Wed, 12 Nov 2014 15:54:14 +0100
> Andreas Ladanyi <andreas.lada...@kit.edu> wrote:
>> I set up the 389 LDAP server to support des-cbc-crc enctype.
>> I created a principal for OpenAFS. OpenAFS need des-cbc-crc:v4
>> (single-DES). I created the principal with:
>> kadmin.local -x ipa-setup-override-restrictions
> Please don't do this, use the ipa service-add and ipa-getkeytab
> commands instead.
>> The result is:
>> Principal: afs/cellname@Realm
>> Key: vno 1, des-cbc-crc, no salt
>> Key: vno 1, aes256-cts-hmac-sha1-96, no salt
>> Seems like the principal was set correctly with single-des.
>> I execute a "kinit username" and got my tgt.
>> kvno -e des-cbc-crc afs/cellname
>> kvno: KDC has no support for encryption type while getting credentials
>> for afs/cellname@REALM
>> kvno -e aes256-cts-hmac-sha1-96 afs/cellname
>> afs/celln...@pp.ipd.kit.edu: kvno = 1
>> Iam wondering that i dont get a ticket with des-cbc-crc enctype from
>> FreeIPA Kerberos server.
>> Any ideas ?
> des-cbc-crc is disabled at different levels, you need to set
It should be noted that there are very good reasons for disabling des-cbc-crc:
*It is completely insecure* and can be cracked easily!
> allow_weak_crypro = yes in krb5.conf to enabled use of DES algorithms
> at all.
> On the KDC however you also need to change the list of allowed
> enctypes in LDAP and in the KDC configuration file.
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project