On Tue, 18 Nov 2014 15:11:01 +0100 Andreas Ladanyi <andreas.lada...@kit.edu> wrote:
> Hi Simo, > >> Thats interesting. Now i can receive afs/cellname@REALM service > >> tickets with des-cbc-crc and aes256 key on the client but only > >> when i execute: > >> > >> kvno -e des-cbc-crc afs/cellname > >> > >> If i execute aklog to obtain an afs token from tgt i get a > >> afs/cellname@REALM service ticket without des-cbc-crc key. > > This is probably because you got all default enctypes in the key, so > > the KDC is sending you a ticket with the strongest keytype for > > which it has a shared key with the service. > > > >>> However, we have a problem in FreeIPA 4.x that an > >>> attempt to force only a specific encryption type in ipa-getkeytab > >>> is ignored and instead only enctypes from krbDefaultEncSaltTypes > >>> attribute are generated. This bug is tracked with > >>> https://fedorahosted.org/freeipa/ticket/4718 > > This is the bug that is causing your last issue ^^ > > > > One way around it is to use an older ipa-getkeytab binary (like the > > one on RHEL 6) that uses the old setkeytab control. > > > > We are working on a fix upstream and will land it asap. > > > > Simo. > In the lines above i read that the bug is in FreeIPA 4.x. > > Does this bug also belongs to FreeIPA Release 3.3.6 (which i use in > Fedora) or only 4.x ? Only 4.x as far as I know, sorry I thought you were testing 4. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
