Am 07.11.2014 um 15:49 schrieb Brandon Allbery: > On Fri, 2014-11-07 at 15:42 +0100, Andreas Ladanyi wrote: >> Am 07.11.2014 um 14:46 schrieb Brandon Allbery: >>> On Fri, 2014-11-07 at 11:41 +0100, Andreas Ladanyi wrote: >>>> Kerberos error code returned by get_cred : -1765328370 >>> KRB5KDC_ERR_ETYPE_NOSUPP >>> >>> You are probably still using DES, and need "allow_weak_crypto = true" in >>> [libdefaults] on clients and the KDC. An answer for the future (and >>> possibly necessary as some Kerberos implementations are disabling DES >>> entirely) is to migrate the AFS cell to rxkad-k5. >>> >> allow_weak_crypto = true is set in the krb5.conf on test client pc. It >> doesnt work. > "and the KDC" --- if the KDC is not allowing DES then it doesn't matter > what the client allows. I am not familiar with FreeIPA and don't know > what you need to do on it to enable DES, but it is almost certainly > disabled by default --- you can make principals using it but the KDC > will not admit to its existence to clients. > Hi Brandon,
sorry i didnt told that. In FreeIPA you must enable the DES salttype. I enabled the des-cbc-crc:normal and des-cbc-crc:v4. cheers, Andreas
smime.p7s
Description: S/MIME Cryptographic Signature
