[Freeipa-devel] [PATCH] 965 Allow ipa-getkeytab to skip missing enctypes
Simo Sorce
simo at redhat.com
Mon Mar 5 15:40:54 UTC 2012
On Fri, 2012-02-24 at 08:57 -0500, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Thu, 2012-02-23 at 22:05 -0500, Rob Crittenden wrote:
> >> We noticed that older client machines couldn't join FreeIPA 2.1.90
> >> servers running KDC 1.90. It was failing to return a ticket for DES so
> >> the whole keytab request was failing.
> >>
> >> I changed it so failures are acceptable as long as one requested type is
> >> returned.
> >>
> >> I wasn't able to get my KDC to actually return a DES key despite
> >> enabling weak crypto and adding the des enctypes. Not sure if this is a
> >> problem on my end or not. I used RHEL 5 as the client.
> >
> > The problem is that the authoritative list for the IPA server is in
> > cn=REALM.NAME,cn=kerberos,$suffix
> >
> > In there there are 2 multivalue attributes: krbDefaultEncSaltTypes and
> > krbSupportedEncSaltTypes.
> >
> > You need to add any enctype you want 'supported' in that list.
> > You may have to restart DS after you change those values as I don't
> > remember if we update internal structures on the fly.
>
> Restarting the KDC did it. I disabled arcfour and now I see two failed
> cert types from RHEL 5:
>
> $ ipa-getkeytab -s doberman.example.com -p test/zeus.example.com -k
> /tmp/test.kt
> Failed to retrieve encryption type ArcFour with HMAC/md5 (#23)
> Failed to retrieve encryption type DES cbc mode with CRC-32 (#1)
> Keytab successfully retrieved and stored in: /tmp/test.kt
>
> >
> > On the patch where does the '48' comes from ?
>
> Completely arbitrarily trying to keep error on a single line (similar to
> the list of supported enctypes truncating at 79).
I do not like this much, but it is just an error message so ACK.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list