Re: [Freeipa-users] KDC has no support for encryption type
On 29.12.2014 23:31, Matt . wrote: > But should an IPA install not add them by default ? Maybe this is some I'm not sure that I understand what you mean, but DES is disabled on purpose because it is completely insecure nowadays. Maybe you should try to rule it out from your deployment. According to [1], it was possible to attack DES key back in 2008. I don't want to even guess how easy it has to be today. DES in Kerberos was formally deprecated by RFC 6649 [2]. Also, -CRC variants are completely insecure by design (because it is malleable). [1] http://en.wikipedia.org/wiki/Data_Encryption_Standard#Chronology [2] https://tools.ietf.org/html/rfc6649 Have a nice day! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] KDC has no support for encryption type
On 12/30/2014 06:06 AM, Matt . wrote: Readin up on this the weak password setting should work, but it doesn't. What are my chances here as I need to do a "ipa pwpolicy-mod --maxlife 200" This touches the expiration not the encryption types. Or can this be done from a ldap browser too ? Yes. It sets the global kerberos password expiration attribute. 2014-12-29 23:31 GMT+01:00 Matt . : OK, thank for that. But should an IPA install not add them by default ? Maybe this is some 4.x dev which is still needed ? I need to look what I exactly need. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] KDC has no support for encryption type
Readin up on this the weak password setting should work, but it doesn't. What are my chances here as I need to do a "ipa pwpolicy-mod --maxlife 200" Or can this be done from a ldap browser too ? 2014-12-29 23:31 GMT+01:00 Matt . : > OK, thank for that. > > But should an IPA install not add them by default ? Maybe this is some > 4.x dev which is still needed ? > > I need to look what I exactly need. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] KDC has no support for encryption type
OK, thank for that. But should an IPA install not add them by default ? Maybe this is some 4.x dev which is still needed ? I need to look what I exactly need. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] KDC has no support for encryption type
On 12/29/2014 05:09 PM, Matt . wrote:
Hi All,
Why doing some IPA commands on my 4.1.2 install I get the following error:
ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified GSS failure.
Minor code may provide more
information', 851968)/('KDC has no support for
encryption type', -1765328370)/
I already tried to add this to my [libdefaults] in my krb5.conf:
[libdefaults]
...
allow_weak_crypto = yes
default_tkt_enctypes = RC4-HMAC, DES-CBC-CRC, DES3-CBC-SHA1,DES-CBC-MD5
default_tgs_enctypes = RC4-HMAC, DES-CBC-CRC, DES3-CBC-SHA1, DES-CBC-MD5
I am not sure about spaces but I suspect it is OK.
What is not OK is probably that you not listed all other encryption
types that IPA assumes.
If you need weaker ciphers you need to list them in addition to the
strong ones.
http://web.mit.edu/kerberos/krb5-1.13/doc/admin/conf_files/krb5_conf.html
But this doesn't seem to fix it.
Is this still the known bug in 4.x ?
And can I fix it ?
Thanks!
Matt
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
