Re: [Freeipa-users] KDC has no support for encryption type
On 29.12.2014 23:31, Matt . wrote: But should an IPA install not add them by default ? Maybe this is some I'm not sure that I understand what you mean, but DES is disabled on purpose because it is completely insecure nowadays. Maybe you should try to rule it out from your deployment. According to [1], it was possible to attack DES key back in 2008. I don't want to even guess how easy it has to be today. DES in Kerberos was formally deprecated by RFC 6649 [2]. Also, -CRC variants are completely insecure by design (because it is malleable). [1] http://en.wikipedia.org/wiki/Data_Encryption_Standard#Chronology [2] https://tools.ietf.org/html/rfc6649 Have a nice day! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] KDC has no support for encryption type
On 12/30/2014 06:06 AM, Matt . wrote: Readin up on this the weak password setting should work, but it doesn't. What are my chances here as I need to do a ipa pwpolicy-mod --maxlife 200 This touches the expiration not the encryption types. Or can this be done from a ldap browser too ? Yes. It sets the global kerberos password expiration attribute. 2014-12-29 23:31 GMT+01:00 Matt . yamakasi@gmail.com: OK, thank for that. But should an IPA install not add them by default ? Maybe this is some 4.x dev which is still needed ? I need to look what I exactly need. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] KDC has no support for encryption type
Hi All, Why doing some IPA commands on my 4.1.2 install I get the following error: ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('KDC has no support for encryption type', -1765328370)/ I already tried to add this to my [libdefaults] in my krb5.conf: [libdefaults] ... allow_weak_crypto = yes default_tkt_enctypes = RC4-HMAC, DES-CBC-CRC, DES3-CBC-SHA1,DES-CBC-MD5 default_tgs_enctypes = RC4-HMAC, DES-CBC-CRC, DES3-CBC-SHA1, DES-CBC-MD5 But this doesn't seem to fix it. Is this still the known bug in 4.x ? And can I fix it ? Thanks! Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project