Hi, > On Fri, 07 Nov 2014 16:05:11 +0100 > Andreas Ladanyi <[email protected]> wrote: > >> sorry i didnt told that. In FreeIPA you must enable the DES salttype. I >> enabled the des-cbc-crc:normal and des-cbc-crc:v4. > I'm not too familiar with FreeIPA, but usually you need to enable "weak > enctypes" separately from enabling DES specifically. That is, you need > to turn on those specific enctypes (for the principal, and possibly for > the whole KDC), but you also need to enable "weak crypto" in krb5.conf > like Brandon mentioned. > > Or maybe what you did for this was correct, and something else is the > problem. I'm sending some other things to try out in a moment. I solved the problem but im not exactly sure why it works now :-)
In the past i firstly created a principal in FreeIPA Kerberos with kadmin.local tool named "afs/cellname@REALM" with one key: Key: vno 2, des-cbc-crc, no salt The result was the OpenAFS error message: Kerberos error code returned by get_cred : -1765328370, KRB5KDC_ERR_ETYPE_NOSUPP To solve the problem it was enough to use FreeIPA command "ipa-getkeytab". This command generate 7 new keys for the "afs/cellname@REALM" principal. The DES key is also generated because i enabled it in FreeIPA. Key: vno 2, aes256-cts-hmac-sha1-96, no salt Key: vno 2, aes128-cts-hmac-sha1-96, no salt Key: vno 2, des3-cbc-sha1, no salt Key: vno 2, arcfour-hmac, no salt Key: vno 2, camellia128-cts-cmac, no salt Key: vno 2, camellia256-cts-cmac, no salt Key: vno 2, des-cbc-crc, no salt Now aklog works and i can get a AFS token. Why are all this keys important for aklog ? Or which key exeptly the DES key is important ? cheers, Andreas
smime.p7s
Description: S/MIME Cryptographic Signature
