>> Hi, >> >> I set up the 389 LDAP server to support des-cbc-crc enctype. >> >> I created a principal for OpenAFS. OpenAFS need des-cbc-crc:v4 >> (single-DES). I created the principal with: >> >> kadmin.local -x ipa-setup-override-restrictions > Please don't do this, use the ipa service-add and ipa-getkeytab > commands instead. I cant use ipa service-add, because for OpenAFS i need a service principal called:
afs/cellname@REALM , the cellname could be any name. In my case the cellname is the same like the domainname. With ipa service-add i could only add principals like service/FQDN@REALM. > >> The result is: >> >> Principal: afs/cellname@Realm >> Key: vno 1, des-cbc-crc, no salt >> Key: vno 1, aes256-cts-hmac-sha1-96, no salt >> >> Seems like the principal was set correctly with single-des. >> >> I execute a "kinit username" and got my tgt. >> >> kvno -e des-cbc-crc afs/cellname >> kvno: KDC has no support for encryption type while getting credentials >> for afs/cellname@REALM >> >> kvno -e aes256-cts-hmac-sha1-96 afs/cellname >> afs/celln...@pp.ipd.kit.edu: kvno = 1 >> >> Iam wondering that i dont get a ticket with des-cbc-crc enctype from >> FreeIPA Kerberos server. >> >> Any ideas ? > des-cbc-crc is disabled at different levels, you need to set > allow_weak_crypro = yes in krb5.conf to enabled use of DES algorithms > at all. I have already done this on the client side. > On the KDC however you also need to change the list of allowed > enctypes in LDAP and in the KDC configuration file. ok, i already add the supportedenctypes and defaultencsalttypes in the 389 LDAP enctype list of the kerberos realm. In which KDC file do i have to change the enctypes on FreeIPA server ? kdc.conf ? What should i add to get the FreeIPA KDC delivering single-des ? > > Simo. > cheers, Andreas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project