Hi, Running freeIPA server on centos 8.2. Trying to setup mixed OS environment with linux and windows clients. Another centos8.2 machine connects to freeIPA without any problem. I am trying to connect a windows 10 client to the freeIPA and getting the following error :
[root@directory ~]# [root@directory ~]# ipa-getkeytab -s directory.compnet.local -p host/win10.compnet.local -e arcfour-hmac -k krb5.keytab.win10 -P New Principal Password: Verify Principal Password: Failed to parse result: All enctypes provided are unsupported Retrying with pre-4.0 keytab retrieval method... Failed to parse result: All enctypes provided are unsupported Failed to get keytab! Failed to get keytab [root@directory ~]#
References followed : https://www.rootusers.com/how-to-login-to-windows-with-a-freeipa-account/ https://www.freeipa.org/page/Windows_authentication_against_FreeIPA https://www.server-world.info/en/note?os=CentOS_7&p=ipa&f=8
lovepreetdeol via FreeIPA-users wrote:
Hi, Running freeIPA server on centos 8.2. Trying to setup mixed OS environment with linux and windows clients. Another centos8.2 machine connects to freeIPA without any problem. I am trying to connect a windows 10 client to the freeIPA and getting the following error :
[root@directory ~]# [root@directory ~]# ipa-getkeytab -s directory.compnet.local -p host/win10.compnet.local -e arcfour-hmac -k krb5.keytab.win10 -P New Principal Password: Verify Principal Password: Failed to parse result: All enctypes provided are unsupported Retrying with pre-4.0 keytab retrieval method... Failed to parse result: All enctypes provided are unsupported Failed to get keytab! Failed to get keytab [root@directory ~]#
References followed : https://www.rootusers.com/how-to-login-to-windows-with-a-freeipa-account/ https://www.freeipa.org/page/Windows_authentication_against_FreeIPA https://www.server-world.info/en/note?os=CentOS_7&p=ipa&f=8
RC4 ciphers are no longer allowed. Drop the -e arcfour-hmac and you might get farther.
rob
On ti, 07 heinä 2020, lovepreetdeol via FreeIPA-users wrote:
Hi, Running freeIPA server on centos 8.2. Trying to setup mixed OS environment with linux and windows clients. Another centos8.2 machine connects to freeIPA without any problem. I am trying to connect a windows 10 client to the freeIPA and getting the following error :
This (enrolling Windows system to IPA) is not supported.
Your problem is different, though.
[root@directory ~]# [root@directory ~]# ipa-getkeytab -s directory.compnet.local -p host/win10.compnet.local -e arcfour-hmac -k krb5.keytab.win10 -P New Principal Password: Verify Principal Password: Failed to parse result: All enctypes provided are unsupported Retrying with pre-4.0 keytab retrieval method... Failed to parse result: All enctypes provided are unsupported Failed to get keytab! Failed to get keytab [root@directory ~]#
In RHEL 8.2 (and earlier, starting with Fedora 30) MIT Kerberos started to deprecate RC4-HMAC encryption type. It is weak. FreeIPA 4.8.2+ changed the code to prevent generation of RC4-HMAC keys for all principals but cifs/..., so this is what you see above.
https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-contro...
This is also documented in RHEL 8 documentation:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
freeipa-users@lists.fedorahosted.org