<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 11/12/2014 09:54 AM, Andreas Ladanyi
wrote:<br>
</div>
<blockquote cite="mid:54637496.9030508@kit.edu" type="cite">
<pre wrap="">Hi,
I set up the 389 LDAP server to support des-cbc-crc enctype.
I created a principal for OpenAFS. OpenAFS need des-cbc-crc:v4
(single-DES). I created the principal with:
kadmin.local -x ipa-setup-override-restrictions
The result is:
Principal: afs/cellname@Realm
Key: vno 1, des-cbc-crc, no salt
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Seems like the principal was set correctly with single-des.
I execute a "kinit username" and got my tgt.
kvno -e des-cbc-crc afs/cellname
kvno: KDC has no support for encryption type while getting credentials
for afs/cellname@REALM
kvno -e aes256-cts-hmac-sha1-96 afs/cellname
<a class="moz-txt-link-abbreviated" href="mailto:afs/cellname@PP.IPD.KIT.EDU">afs/cellname@PP.IPD.KIT.EDU</a>: kvno = 1
Iam wondering that i dont get a ticket with des-cbc-crc enctype from
FreeIPA Kerberos server.
Any ideas ?
cheers,
Andreas
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
Did you enable use of weak crypto?<br>
See allow_weak_crypto setting in krb5.conf on the server.<br>
<br>
<a class="moz-txt-link-freetext" href="http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html">http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html</a><br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>