[Freeipa-users] FreeIPA Kerberos and Single-DES for OpenAFS
Andreas Ladanyi
andreas.ladanyi at kit.edu
Tue Nov 18 14:11:01 UTC 2014
Hi Simo,
>> Thats interesting. Now i can receive afs/cellname at REALM service
>> tickets with des-cbc-crc and aes256 key on the client but only when i
>> execute:
>>
>> kvno -e des-cbc-crc afs/cellname
>>
>> If i execute aklog to obtain an afs token from tgt i get a
>> afs/cellname at REALM service ticket without des-cbc-crc key.
> This is probably because you got all default enctypes in the key, so
> the KDC is sending you a ticket with the strongest keytype for which it
> has a shared key with the service.
>
>>> However, we have a problem in FreeIPA 4.x that an
>>> attempt to force only a specific encryption type in ipa-getkeytab is
>>> ignored and instead only enctypes from krbDefaultEncSaltTypes
>>> attribute are generated. This bug is tracked with
>>> https://fedorahosted.org/freeipa/ticket/4718
> This is the bug that is causing your last issue ^^
>
> One way around it is to use an older ipa-getkeytab binary (like the one
> on RHEL 6) that uses the old setkeytab control.
>
> We are working on a fix upstream and will land it asap.
>
> Simo.
In the lines above i read that the bug is in FreeIPA 4.x.
Does this bug also belongs to FreeIPA Release 3.3.6 (which i use in
Fedora) or only 4.x ?
Thanks a lot,
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5306 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141118/99bf288c/attachment.p7s>
More information about the Freeipa-users
mailing list