Hi Simo, >> Thats interesting. Now i can receive afs/cellname@REALM service >> tickets with des-cbc-crc and aes256 key on the client but only when i >> execute: >> >> kvno -e des-cbc-crc afs/cellname >> >> If i execute aklog to obtain an afs token from tgt i get a >> afs/cellname@REALM service ticket without des-cbc-crc key. > This is probably because you got all default enctypes in the key, so > the KDC is sending you a ticket with the strongest keytype for which it > has a shared key with the service. > >>> However, we have a problem in FreeIPA 4.x that an >>> attempt to force only a specific encryption type in ipa-getkeytab is >>> ignored and instead only enctypes from krbDefaultEncSaltTypes >>> attribute are generated. This bug is tracked with >>> https://fedorahosted.org/freeipa/ticket/4718 > This is the bug that is causing your last issue ^^ > > One way around it is to use an older ipa-getkeytab binary (like the one > on RHEL 6) that uses the old setkeytab control. > > We are working on a fix upstream and will land it asap. > > Simo. In the lines above i read that the bug is in FreeIPA 4.x.
Does this bug also belongs to FreeIPA Release 3.3.6 (which i use in Fedora) or only 4.x ? Thanks a lot, Andreas
smime.p7s
Description: S/MIME Cryptographic Signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
