directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: kinit failed on - Integrity check on decrypted field failed
Date Mon, 08 Apr 2013 17:34:47 GMT
Le 4/8/13 7:16 PM, Kiran Ayyagari a écrit :
> very likely that the default weak encryption type set in ApacheDS is the
> reason.
>
> either you enable the weak encrytion support in krb5.conf
>
> [libdefaults]
>        allow_weak_crypto = true
>
> or modify the encryption types configured in ApacheDS
>
>  1. go to the entry
> ads-serverId=kerberosServer,ou=servers,ads-directoryServiceId=default,ou=config
>
>  2. remove des3-cbc-sha1-kd from ads-krbEncryptionTypes attribute (you can
> add another value like aes256-cts-hmac-sha1-96)
>
>  3. restart the server
>
> let us know if you still have an issue

I wonder if this is not related to a bug I fixed 2 or 3 weeks ago : the
selection of the encyption mechanism is not correct in M11, and the
encryption type used by the client does not match the one used by the
server?

The workaround on the server would be to remove all the weak
entryptionTypes to only keep AES256.


-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com 


Mime
View raw message