Hi,

Server: FreeIPA 3.3.5, Fedora 20
Client: Ubuntu 14.04

ipa-getkeytab -s freeipaserver -p principal@REALM  -k
/tmp/principal.keytab -e des3-hmac-sha1 -P

only results in:

klist -k /tmp/principal.keytab -e
Keytab name: FILE:/tmp/principal.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   5 principal@REALM (des3-cbc-sha1)


/var/kerberos/krb5kdc/kdc.conf:

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88
 restrict_anonymous_to_tgt = true

[realms]
REALM = {
  master_key_type = aes256-cts
  max_life = 7d
  max_renewable_life = 14d
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  default_principal_flags = +preauth
;  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
  pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
  supported_enctypes = aes256-cts-hmac-sha1-96:normal
aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal
arcfour-hmac-md5:normal des-cbc-crc:v4 des3-hmac-sha1:normal
 }

I added the "des3-hmac-sha1:normal" entry in "supported_enctypes" parameter.

There is also an attributes entry krbDefaultEncSaltTypes and
krbSupportedEncSaltTypes with the value "des3-hmac-sha1:normal" in 389 LDAP.


cheers,
Andreas

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to