Hi Jakub,

  I ended up re-enrolling the box and it is behaving as expected except I
am not getting a host cert.  Robert indicated auto host cert no longer
avail with rhel 7 but using the --request -cert option on enroll to get a
host cert if I wanted one.   I did so and get this in the install log


2016-11-16T22:00:53Z DEBUG Starting external process
2016-11-16T22:00:53Z DEBUG args='/bin/systemctl' 'is-active'
'certmonger.service'
2016-11-16T22:00:53Z DEBUG Process finished, return code=0
2016-11-16T22:00:53Z DEBUG stdout=active

2016-11-16T22:00:53Z DEBUG stderr=
2016-11-16T22:00:53Z ERROR certmonger request for host certificate failed


Maybe this is an issue with RHEL 7(4.x) client hitting a RHEL 6 (3.x) IPA
server?

As for crypto on RHEL 6 IPA I have (if this is what you looking for).
However this is modified version as it took me a while to get this list to
pass tenable scans by modding the dse files.
[root@ipa1 ~]#  nmap --script ssl-enum-ciphers -p 636 `hostname`

Starting Nmap 5.51 ( http://nmap.org ) at 2016-11-16 17:25 EST
Nmap scan report for ipa1.ipa.local
Host is up (0.000087s latency).
PORT    STATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers:
|   TLSv1.2
|     Ciphers (14)
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_RSA_WITH_AES_128_CBC_SHA256
|       TLS_RSA_WITH_AES_128_GCM_SHA256
|       TLS_RSA_WITH_AES_256_CBC_SHA
|       TLS_RSA_WITH_AES_256_CBC_SHA256
|     Compressors (1)
|_      uncompressed





Sean Hogan







From:   Jakub Hrozek <jhro...@redhat.com>
To:     Sean Hogan/Durham/IBM@IBMUS
Cc:     Martin Babinsky <mbabi...@redhat.com>, freeipa-users@redhat.com
Date:   11/16/2016 02:38 PM
Subject:        Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server



On Wed, Nov 16, 2016 at 09:56:59AM -0700, Sean Hogan wrote:
> [root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local
> kinit: Program lacks support for encryption type while getting initial
> credentials

OK, now there's at least the same error from kinit as sssd is
generating. Can you runs this command prepended with
KRB5_TRACE=/dev/stderr and perhaps also check the KDC logs for the same
time?

But frankly I don't know offhand what enctypes are supported by the
RHEL-6 server's KDC..



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to