#4718 keytab generation with limited enctype is broken
Closed: Fixed None Opened 9 years ago by abbra.

Even when des-cbc-crc is allowed in krbsupportedencsalttypes and in krb5.conf/kdc.conf, one cannot generate keytab using this encryption type. In fact, specifying '-e' option to 'ipa-getkeytab' does not limit encryption types at all, even for strong cryptography.

[root@cc21 ~]# ipa service-del afs/afs-host.ipacloud.test
----------------------------------------------------------
Deleted service "afs/afs-host.ipacloud.test@IPACLOUD.TEST"
----------------------------------------------------------
[root@cc21 ~]# rm /tmp/afs.keytab
rm: remove regular file ‘/tmp/afs.keytab’? y
[root@cc21 ~]# ipa service-add afs/afs-host.ipacloud.test --force
--------------------------------------------------------
Added service "afs/afs-host.ipacloud.test@IPACLOUD.TEST"
--------------------------------------------------------
  Principal: afs/afs-host.ipacloud.test@IPACLOUD.TEST
  Managed by: afs-host.ipacloud.test
[root@cc21 ~]# ipa-getkeytab -s `hostname` -p afs/afs-host.ipacloud.test -P  -k /tmp/afs.keytab -e des-cbc-crc:v4
New Principal Password: 
Verify Principal Password: 
Keytab successfully retrieved and stored in: /tmp/afs.keytab
[root@cc21 ~]# klist -k /tmp/afs.keytab -Kte
Keytab name: FILE:/tmp/afs.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 11/12/2014 19:38:44 afs/afs-host.ipacloud.test@IPACLOUD.TEST (aes256-cts-hmac-sha1-96)  (0xe2142f9365ef689b130ad4b8b51fa3467380a869d5367f04f12242e4769e3a0c)
   1 11/12/2014 19:38:44 afs/afs-host.ipacloud.test@IPACLOUD.TEST (aes128-cts-hmac-sha1-96)  (0xaf6964c2084719218b64d95e5ba7e850)
   1 11/12/2014 19:38:44 afs/afs-host.ipacloud.test@IPACLOUD.TEST (des3-cbc-sha1)  (0x38049202542c4a3e6bd525a8452f15a185c12cec7ad6136b)
   1 11/12/2014 19:38:44 afs/afs-host.ipacloud.test@IPACLOUD.TEST (arcfour-hmac)  (0xf8e4df028cd34224ff0d0195cd3b5669)

We would like to push for this as a blocker for Fedora 21.

Metadata Update from @abbra:
- Issue assigned to simo
- Issue set to the milestone: FreeIPA 4.0.6

6 years ago

Login to comment on this ticket.

Metadata