On 13.11.2014 02:17, Simo Sorce wrote: > On Wed, 12 Nov 2014 15:54:14 +0100 > Andreas Ladanyi <andreas.lada...@kit.edu> wrote: > >> Hi, >> >> I set up the 389 LDAP server to support des-cbc-crc enctype. >> >> I created a principal for OpenAFS. OpenAFS need des-cbc-crc:v4 >> (single-DES). I created the principal with: >> >> kadmin.local -x ipa-setup-override-restrictions > > Please don't do this, use the ipa service-add and ipa-getkeytab > commands instead. > >> The result is: >> >> Principal: afs/cellname@Realm >> Key: vno 1, des-cbc-crc, no salt >> Key: vno 1, aes256-cts-hmac-sha1-96, no salt >> >> Seems like the principal was set correctly with single-des. >> >> I execute a "kinit username" and got my tgt. >> >> kvno -e des-cbc-crc afs/cellname >> kvno: KDC has no support for encryption type while getting credentials >> for afs/cellname@REALM >> >> kvno -e aes256-cts-hmac-sha1-96 afs/cellname >> afs/celln...@pp.ipd.kit.edu: kvno = 1 >> >> Iam wondering that i dont get a ticket with des-cbc-crc enctype from >> FreeIPA Kerberos server. >> >> Any ideas ? > > des-cbc-crc is disabled at different levels, you need to set
It should be noted that there are very good reasons for disabling des-cbc-crc: *It is completely insecure* and can be cracked easily! > allow_weak_crypro = yes in krb5.conf to enabled use of DES algorithms > at all. > On the KDC however you also need to change the list of allowed > enctypes in LDAP and in the KDC configuration file. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project