On ti, 07 heinä 2020, lovepreetdeol via FreeIPA-users wrote:
Hi,
Running freeIPA server on centos 8.2. Trying to setup mixed OS
environment with linux and windows clients. Another centos8.2 machine
connects to freeIPA without any problem.
I am trying to connect a windows 10 client to the freeIPA and getting
the following error :
This (enrolling Windows system to IPA) is not supported.
Your problem is different, though.
[root@directory ~]#
[root@directory ~]# ipa-getkeytab -s directory.compnet.local -p host/win10.compnet.local
-e arcfour-hmac -k krb5.keytab.win10 -P
New Principal Password:
Verify Principal Password:
Failed to parse result: All enctypes provided are unsupported
Retrying with pre-4.0 keytab retrieval method...
Failed to parse result: All enctypes provided are unsupported
Failed to get keytab!
Failed to get keytab
[root@directory ~]#
In RHEL 8.2 (and earlier, starting with Fedora 30) MIT Kerberos started
to deprecate RC4-HMAC encryption type. It is weak. FreeIPA 4.8.2+
changed the code to prevent generation of RC4-HMAC keys for all
principals but cifs/..., so this is what you see above.
https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-con...
This is also documented in RHEL 8 documentation:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland