Re: [Freeipa-users] KDC has no support for encryption type

2015-01-05 Thread Petr Spacek 
On 29.12.2014 23:31, Matt . wrote:
 But should an IPA install not add them by default ? Maybe this is some

I'm not sure that I understand what you mean, but DES is disabled on purpose
because it is completely insecure nowadays. Maybe you should try to rule it
out from your deployment.

According to [1], it was possible to attack DES key back in 2008. I don't want
to even guess how easy it has to be today. DES in Kerberos was formally
deprecated by RFC 6649 [2].

Also, -CRC variants are completely insecure by design (because it is malleable).

[1] http://en.wikipedia.org/wiki/Data_Encryption_Standard#Chronology
[2] https://tools.ietf.org/html/rfc6649

Have a nice day!

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] KDC has no support for encryption type

2015-01-02 Thread Dmitri Pal 

On 12/30/2014 06:06 AM, Matt . wrote:

Readin up on this the weak password setting should work, but it doesn't.

What are my chances here as I need to do a ipa pwpolicy-mod --maxlife 200


This touches the expiration not the encryption types.


Or can this be done from a ldap browser too ?


Yes. It sets the global kerberos password expiration attribute.



2014-12-29 23:31 GMT+01:00 Matt . yamakasi@gmail.com:

OK, thank for that.

But should an IPA install not add them by default ? Maybe this is some
4.x dev which is still needed ?

I need to look what I exactly need.



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] KDC has no support for encryption type

2014-12-29 Thread Matt . 
Hi All,

Why doing some IPA commands on my 4.1.2 install I get the following error:


ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified GSS failure.
Minor code may provide more
  information', 851968)/('KDC has no support for
encryption type', -1765328370)/

I already tried to add this to my [libdefaults] in my krb5.conf:


[libdefaults]
 ...
allow_weak_crypto = yes
default_tkt_enctypes = RC4-HMAC, DES-CBC-CRC, DES3-CBC-SHA1,DES-CBC-MD5
default_tgs_enctypes = RC4-HMAC, DES-CBC-CRC, DES3-CBC-SHA1, DES-CBC-MD5

But this doesn't seem to fix it.

Is this still the known bug in 4.x ?

And can I fix it ?

Thanks!

Matt

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project