Adding Windows 10 client to freeIPA - Error : Failed to parse result: All enctypes provided are unsupported
Hi, Running freeIPA server on centos 8.2. Trying to setup mixed OS environment with linux and windows clients. Another centos8.2 machine connects to freeIPA without any problem. I am trying to connect a windows 10 client to the freeIPA and getting the following error :
[root@directory ~]# [root@directory ~]# ipa-getkeytab -s directory.compnet.local -p host/win10.compnet.local -e arcfour-hmac -k krb5.keytab.win10 -P New Principal Password: Verify Principal Password: Failed to parse result: All enctypes provided are unsupported Retrying with pre-4.0 keytab retrieval method... Failed to parse result: All enctypes provided are unsupported Failed to get keytab! Failed to get keytab [root@directory ~]#
References followed : https://www.rootusers.com/how-to-login-to-windows-with-a-freeipa-account/ https://www.freeipa.org/page/Windows_authentication_against_FreeIPA https://www.server-world.info/en/note?os=CentOS_7&p=ipa&f=8
lovepreetdeol via FreeIPA-users wrote:
Hi, Running freeIPA server on centos 8.2. Trying to setup mixed OS environment with linux and windows clients. Another centos8.2 machine connects to freeIPA without any problem. I am trying to connect a windows 10 client to the freeIPA and getting the following error :
[root@directory ~]# [root@directory ~]# ipa-getkeytab -s directory.compnet.local -p host/win10.compnet.local -e arcfour-hmac -k krb5.keytab.win10 -P New Principal Password: Verify Principal Password: Failed to parse result: All enctypes provided are unsupported Retrying with pre-4.0 keytab retrieval method... Failed to parse result: All enctypes provided are unsupported Failed to get keytab! Failed to get keytab [root@directory ~]#
References followed : https://www.rootusers.com/how-to-login-to-windows-with-a-freeipa-account/ https://www.freeipa.org/page/Windows_authentication_against_FreeIPA https://www.server-world.info/en/note?os=CentOS_7&p=ipa&f=8
RC4 ciphers are no longer allowed. Drop the -e arcfour-hmac and you might get farther.
rob
On ti, 07 heinä 2020, lovepreetdeol via FreeIPA-users wrote:
Hi, Running freeIPA server on centos 8.2. Trying to setup mixed OS environment with linux and windows clients. Another centos8.2 machine connects to freeIPA without any problem. I am trying to connect a windows 10 client to the freeIPA and getting the following error :
This (enrolling Windows system to IPA) is not supported.
Your problem is different, though.
[root@directory ~]# [root@directory ~]# ipa-getkeytab -s directory.compnet.local -p host/win10.compnet.local -e arcfour-hmac -k krb5.keytab.win10 -P New Principal Password: Verify Principal Password: Failed to parse result: All enctypes provided are unsupported Retrying with pre-4.0 keytab retrieval method... Failed to parse result: All enctypes provided are unsupported Failed to get keytab! Failed to get keytab [root@directory ~]#
In RHEL 8.2 (and earlier, starting with Fedora 30) MIT Kerberos started to deprecate RC4-HMAC encryption type. It is weak. FreeIPA 4.8.2+ changed the code to prevent generation of RC4-HMAC keys for all principals but cifs/..., so this is what you see above.
https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-contro...
This is also documented in RHEL 8 documentation:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
lovepreetdeol -
Rob Crittenden