On Fri, 2014-11-07 at 15:42 +0100, Andreas Ladanyi wrote: > Am 07.11.2014 um 14:46 schrieb Brandon Allbery: > > On Fri, 2014-11-07 at 11:41 +0100, Andreas Ladanyi wrote: > >> Kerberos error code returned by get_cred : -1765328370 > > KRB5KDC_ERR_ETYPE_NOSUPP > > > > You are probably still using DES, and need "allow_weak_crypto = true" in > > [libdefaults] on clients and the KDC. An answer for the future (and > > possibly necessary as some Kerberos implementations are disabling DES > > entirely) is to migrate the AFS cell to rxkad-k5. > > > allow_weak_crypto = true is set in the krb5.conf on test client pc. It > doesnt work.
"and the KDC" --- if the KDC is not allowing DES then it doesn't matter what the client allows. I am not familiar with FreeIPA and don't know what you need to do on it to enable DES, but it is almost certainly disabled by default --- you can make principals using it but the KDC will not admit to its existence to clients. -- brandon s allbery kf8nh sine nomine associates allber...@gmail.com ballb...@sinenomine.net unix openafs kerberos infrastructure xmonad http://sinenomine.net
