[Freeipa-users] FreeIPA Kerberos and Single-DES for OpenAFS
Dmitri Pal
dpal at redhat.com
Wed Nov 12 19:45:10 UTC 2014
On 11/12/2014 09:54 AM, Andreas Ladanyi wrote:
> Hi,
>
> I set up the 389 LDAP server to support des-cbc-crc enctype.
>
> I created a principal for OpenAFS. OpenAFS need des-cbc-crc:v4
> (single-DES). I created the principal with:
>
> kadmin.local -x ipa-setup-override-restrictions
>
> The result is:
>
> Principal: afs/cellname at Realm
> Key: vno 1, des-cbc-crc, no salt
> Key: vno 1, aes256-cts-hmac-sha1-96, no salt
>
> Seems like the principal was set correctly with single-des.
>
> I execute a "kinit username" and got my tgt.
>
> kvno -e des-cbc-crc afs/cellname
> kvno: KDC has no support for encryption type while getting credentials
> for afs/cellname at REALM
>
> kvno -e aes256-cts-hmac-sha1-96 afs/cellname
> afs/cellname at PP.IPD.KIT.EDU: kvno = 1
>
> Iam wondering that i dont get a ticket with des-cbc-crc enctype from
> FreeIPA Kerberos server.
>
> Any ideas ?
>
>
> cheers,
> Andreas
>
>
>
>
Did you enable use of weak crypto?
See allow_weak_crypto setting in krb5.conf on the server.
http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141112/47954e88/attachment.htm>
More information about the Freeipa-users
mailing list