On Wed, 12 Nov 2014 15:54:14 +0100 Andreas Ladanyi <andreas.lada...@kit.edu> wrote:
> Hi, > > I set up the 389 LDAP server to support des-cbc-crc enctype. > > I created a principal for OpenAFS. OpenAFS need des-cbc-crc:v4 > (single-DES). I created the principal with: > > kadmin.local -x ipa-setup-override-restrictions Please don't do this, use the ipa service-add and ipa-getkeytab commands instead. > The result is: > > Principal: afs/cellname@Realm > Key: vno 1, des-cbc-crc, no salt > Key: vno 1, aes256-cts-hmac-sha1-96, no salt > > Seems like the principal was set correctly with single-des. > > I execute a "kinit username" and got my tgt. > > kvno -e des-cbc-crc afs/cellname > kvno: KDC has no support for encryption type while getting credentials > for afs/cellname@REALM > > kvno -e aes256-cts-hmac-sha1-96 afs/cellname > afs/celln...@pp.ipd.kit.edu: kvno = 1 > > Iam wondering that i dont get a ticket with des-cbc-crc enctype from > FreeIPA Kerberos server. > > Any ideas ? des-cbc-crc is disabled at different levels, you need to set allow_weak_crypro = yes in krb5.conf to enabled use of DES algorithms at all. On the KDC however you also need to change the list of allowed enctypes in LDAP and in the KDC configuration file. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project