>> Hi,
>> I set up the 389 LDAP server to support des-cbc-crc enctype.
>> I created a principal for OpenAFS. OpenAFS need des-cbc-crc:v4
>> (single-DES). I created the principal with:
>> kadmin.local -x ipa-setup-override-restrictions
> Please don't do this, use the ipa service-add and ipa-getkeytab
> commands instead.
I cant use ipa service-add, because for OpenAFS i need a service
principal called:

afs/cellname@REALM , the cellname could be any name. In my case the
cellname is the same like the domainname.

With ipa service-add i could only add principals like service/FQDN@REALM.
>> The result is:
>> Principal: afs/cellname@Realm
>> Key: vno 1, des-cbc-crc, no salt
>> Key: vno 1, aes256-cts-hmac-sha1-96, no salt
>> Seems like the principal was set correctly with single-des.
>> I execute a "kinit username" and got my tgt.
>> kvno -e des-cbc-crc afs/cellname
>> kvno: KDC has no support for encryption type while getting credentials
>> for afs/cellname@REALM
>> kvno -e aes256-cts-hmac-sha1-96  afs/cellname
>> afs/celln...@pp.ipd.kit.edu: kvno = 1
>> Iam wondering that i dont get a ticket with des-cbc-crc enctype from
>> FreeIPA Kerberos server.
>> Any ideas ?
> des-cbc-crc is disabled at different levels, you need to set
> allow_weak_crypro = yes in krb5.conf to enabled use of DES algorithms
> at all.
I have already done this on the client side.
> On the KDC however you also need to change the list of allowed
> enctypes in LDAP and in the KDC configuration file.
ok, i already add the supportedenctypes and defaultencsalttypes in the
389 LDAP enctype  list of the kerberos realm.

In which KDC file do i have to change the enctypes on FreeIPA server ?
kdc.conf ? What should i add to get the FreeIPA KDC delivering single-des ?
> Simo.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to