[Freeipa-devel] [PATCH] 965 Allow ipa-getkeytab to skip missing enctypes

[Rob Crittenden]

Simo Sorce wrote:
> On Fri, 2012-02-24 at 08:57 -0500, Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> On Thu, 2012-02-23 at 22:05 -0500, Rob Crittenden wrote:
>>>> We noticed that older client machines couldn't join FreeIPA 2.1.90
>>>> servers running KDC 1.90. It was failing to return a ticket for DES so
>>>> the whole keytab request was failing.
>>>>
>>>> I changed it so failures are acceptable as long as one requested type is
>>>> returned.
>>>>
>>>> I wasn't able to get my KDC to actually return a DES key despite
>>>> enabling weak crypto and adding the des enctypes. Not sure if this is a
>>>> problem on my end or not. I used RHEL 5 as the client.
>>>
>>> The problem is that the authoritative list for the IPA server is in
>>> cn=REALM.NAME,cn=kerberos,$suffix
>>>
>>> In there there are 2 multivalue attributes: krbDefaultEncSaltTypes and
>>> krbSupportedEncSaltTypes.
>>>
>>> You need to add any enctype you want 'supported' in that list.
>>> You may have to restart DS after you change those values as I don't
>>> remember if we update internal structures on the fly.
>>
>> Restarting the KDC did it. I disabled arcfour and now I see two failed
>> cert types from RHEL 5:
>>
>> $ ipa-getkeytab -s doberman.example.com -p test/zeus.example.com -k
>> /tmp/test.kt
>> Failed to retrieve encryption type ArcFour with HMAC/md5 (#23)
>> Failed to retrieve encryption type DES cbc mode with CRC-32 (#1)
>> Keytab successfully retrieved and stored in: /tmp/test.kt
>>
>>>
>>> On the patch where does the '48' comes from ?
>>
>> Completely arbitrarily trying to keep error on a single line (similar to
>> the list of supported enctypes truncating at 79).
>
> I do not like this much, but it is just an error message so ACK.
>
> Simo.krb5_enctype_to_string
>

I switch it to use 79 and be consistent with other uses of 
krb5_enctype_to_string()

pushed to master and ipa-2-2

rob