[Freeipa-devel] [PATCH] 965 Allow ipa-getkeytab to skip missing enctypes
Simo Sorce
simo at redhat.com
Fri Feb 24 05:00:04 UTC 2012
On Thu, 2012-02-23 at 22:05 -0500, Rob Crittenden wrote:
> We noticed that older client machines couldn't join FreeIPA 2.1.90
> servers running KDC 1.90. It was failing to return a ticket for DES so
> the whole keytab request was failing.
>
> I changed it so failures are acceptable as long as one requested type is
> returned.
>
> I wasn't able to get my KDC to actually return a DES key despite
> enabling weak crypto and adding the des enctypes. Not sure if this is a
> problem on my end or not. I used RHEL 5 as the client.
The problem is that the authoritative list for the IPA server is in
cn=REALM.NAME,cn=kerberos,$suffix
In there there are 2 multivalue attributes: krbDefaultEncSaltTypes and
krbSupportedEncSaltTypes.
You need to add any enctype you want 'supported' in that list.
You may have to restart DS after you change those values as I don't
remember if we update internal structures on the fly.
On the patch where does the '48' comes from ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list