Even when des-cbc-crc is allowed in krbsupportedencsalttypes and in krb5.conf/kdc.conf, one cannot generate keytab using this encryption type. In fact, specifying '-e' option to 'ipa-getkeytab' does not limit encryption types at all, even for strong cryptography.
[root@cc21 ~]# ipa service-del afs/afs-host.ipacloud.test ---------------------------------------------------------- Deleted service "afs/afs-host.ipacloud.test@IPACLOUD.TEST" ---------------------------------------------------------- [root@cc21 ~]# rm /tmp/afs.keytab rm: remove regular file ‘/tmp/afs.keytab’? y [root@cc21 ~]# ipa service-add afs/afs-host.ipacloud.test --force -------------------------------------------------------- Added service "afs/afs-host.ipacloud.test@IPACLOUD.TEST" -------------------------------------------------------- Principal: afs/afs-host.ipacloud.test@IPACLOUD.TEST Managed by: afs-host.ipacloud.test [root@cc21 ~]# ipa-getkeytab -s `hostname` -p afs/afs-host.ipacloud.test -P -k /tmp/afs.keytab -e des-cbc-crc:v4 New Principal Password: Verify Principal Password: Keytab successfully retrieved and stored in: /tmp/afs.keytab [root@cc21 ~]# klist -k /tmp/afs.keytab -Kte Keytab name: FILE:/tmp/afs.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 11/12/2014 19:38:44 afs/afs-host.ipacloud.test@IPACLOUD.TEST (aes256-cts-hmac-sha1-96) (0xe2142f9365ef689b130ad4b8b51fa3467380a869d5367f04f12242e4769e3a0c) 1 11/12/2014 19:38:44 afs/afs-host.ipacloud.test@IPACLOUD.TEST (aes128-cts-hmac-sha1-96) (0xaf6964c2084719218b64d95e5ba7e850) 1 11/12/2014 19:38:44 afs/afs-host.ipacloud.test@IPACLOUD.TEST (des3-cbc-sha1) (0x38049202542c4a3e6bd525a8452f15a185c12cec7ad6136b) 1 11/12/2014 19:38:44 afs/afs-host.ipacloud.test@IPACLOUD.TEST (arcfour-hmac) (0xf8e4df028cd34224ff0d0195cd3b5669)
This (untested) patch should fix the issue. 0001-Fix-reading-enctyes-from-a-get-keytab-request.patch
We would like to push for this as a blocker for Fedora 21.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1165674 (Fedora)
changes also related to #4728
master:
ipa-4-1:
ipa-4-0:
Metadata Update from @abbra: - Issue assigned to simo - Issue set to the milestone: FreeIPA 4.0.6
Login to comment on this ticket.