Discussion:
[Freeipa-users] KDC has no support for encryption type
Matt .
2014-12-29 22:09:07 UTC
Permalink
Hi All,

Why doing some IPA commands on my 4.1.2 install I get the following error:


ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified GSS failure.
Minor code may provide more
information', 851968)/('KDC has no support for
encryption type', -1765328370)/

I already tried to add this to my [libdefaults] in my krb5.conf:


[libdefaults]
...
allow_weak_crypto = yes
default_tkt_enctypes = RC4-HMAC, DES-CBC-CRC, DES3-CBC-SHA1,DES-CBC-MD5
default_tgs_enctypes = RC4-HMAC, DES-CBC-CRC, DES3-CBC-SHA1, DES-CBC-MD5

But this doesn't seem to fix it.

Is this still the known bug in 4.x ?

And can I fix it ?

Thanks!

Matt
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Dmitri Pal
2014-12-29 22:23:35 UTC
Permalink
Post by Matt .
Hi All,
ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified GSS failure.
Minor code may provide more
information', 851968)/('KDC has no support for
encryption type', -1765328370)/
[libdefaults]
...
allow_weak_crypto = yes
default_tkt_enctypes = RC4-HMAC, DES-CBC-CRC, DES3-CBC-SHA1,DES-CBC-MD5
default_tgs_enctypes = RC4-HMAC, DES-CBC-CRC, DES3-CBC-SHA1, DES-CBC-MD5
I am not sure about spaces but I suspect it is OK.
What is not OK is probably that you not listed all other encryption
types that IPA assumes.
If you need weaker ciphers you need to list them in addition to the
strong ones.

http://web.mit.edu/kerberos/krb5-1.13/doc/admin/conf_files/krb5_conf.html
Post by Matt .
But this doesn't seem to fix it.
Is this still the known bug in 4.x ?
And can I fix it ?
Thanks!
Matt
--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Matt .
2014-12-29 22:31:49 UTC
Permalink
OK, thank for that.

But should an IPA install not add them by default ? Maybe this is some
4.x dev which is still needed ?

I need to look what I exactly need.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Matt .
2014-12-30 11:06:40 UTC
Permalink
Readin up on this the weak password setting should work, but it doesn't.

What are my chances here as I need to do a "ipa pwpolicy-mod --maxlife 200"

Or can this be done from a ldap browser too ?
Post by Matt .
OK, thank for that.
But should an IPA install not add them by default ? Maybe this is some
4.x dev which is still needed ?
I need to look what I exactly need.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Dmitri Pal
2015-01-02 19:17:59 UTC
Permalink
Post by Matt .
Readin up on this the weak password setting should work, but it doesn't.
What are my chances here as I need to do a "ipa pwpolicy-mod --maxlife 200"
This touches the expiration not the encryption types.
Post by Matt .
Or can this be done from a ldap browser too ?
Yes. It sets the global kerberos password expiration attribute.
Post by Matt .
Post by Matt .
OK, thank for that.
But should an IPA install not add them by default ? Maybe this is some
4.x dev which is still needed ?
I need to look what I exactly need.
--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Petr Spacek
2015-01-05 08:47:28 UTC
Permalink
Post by Matt .
But should an IPA install not add them by default ? Maybe this is some
I'm not sure that I understand what you mean, but DES is disabled on purpose
because it is completely insecure nowadays. Maybe you should try to rule it
out from your deployment.

According to [1], it was possible to attack DES key back in 2008. I don't want
to even guess how easy it has to be today. DES in Kerberos was formally
deprecated by RFC 6649 [2].

Also, -CRC variants are completely insecure by design (because it is malleable).

[1] http://en.wikipedia.org/wiki/Data_Encryption_Standard#Chronology
[2] https://tools.ietf.org/html/rfc6649

Have a nice day!
--
Petr^2 Spacek
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Loading...