On pe, 09 kesä 2017, Rob Crittenden via FreeIPA-users wrote:
Jose and I exchanged some files privately and I think I've narrowed down the enrollment problem to failing to get a keytab due to the error:
Failed to retrieve encryption type DES cbc mode with CRC-32 (#1)
This is because newer IPA servers don't support DES.
I don't recall the workaround for this but it likely involves enabling weak crypto support it the KDC, something I'm not sure works these days (not a bad thing).
I have this documented in https://vda.li/en/posts/2015/01/02/playing-with-freeipa-ipa-ldap-updater/#en...
I seem to recall I made a patch to ipa-getkeytab eons ago to cause it to not completely fail as long as one requested key type is retrieved by ipa-getkeytab but it seems unlikely to have been backported to EL 5 (and zero chance at this point).
Not sure what to recommend at this point. Enabling DES is not the best idea.
Yes, this is not really for a world of 2017.
You could follow the manual client configuration instructions instead.
That would be a best option.
A keytab can be retrieved on a different machine and supplied to the CentOS 5 client. One needs to make sure only a specific AES key is retrieved because CentOS 5 does support AES-128 in backports, I think.