mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 07:33:27 -06:00
a6030f5f53
KDC configuration in /var/kerberos/krb5kdc/kdc.conf is generated from the template in install/share/kdc.conf.template. Master key encryption type specified there is used to bootstrap the master key in LDAP database. Once it is done, actual deployment does not rely on the master_key_type value anymore. The actual master key(s) get loaded from LDAP database where they stored in a BER-encoded format, preserving all parameters, including encryption type. This means we can safely migrate to AES256-SHA2 as the default master key encryption type for new installations. Replicas will get their master key encryption type details from the server they were provisioned from. MIT Kerberos supports AES256-SHA2 since 1.15 (2015), meaning RHEL 7.4 is the earliest supported version as it provides krb5 1.15.1. Current supported RHEL 7 version is RHEL 7.9. Since RHEL 6 already cannot be used as a replica to IPA 4.5+ due to a domain level 1 upgrade, this change does not affect old releases. Migration from the previously deployed master key encryption type is described by MIT Kerberos upstream in http://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/retiring-des.html#the-database-master-key One would need to use '-x ipa-setup-override-restrictions' to allow the `kdb5_util` utility to modify the data over IPA KDB driver. Fixes: https://pagure.io/freeipa/issue/9119 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Francisco Trivino <ftrivino@redhat.com> |
||
---|---|---|
.. | ||
advise | ||
custodia | ||
dnssec | ||
install | ||
plugins | ||
secrets | ||
__init__.py | ||
dcerpc_common.py | ||
dcerpc.py | ||
dns_data_management.py | ||
Makefile.am | ||
masters.py | ||
p11helper.py | ||
rpcserver.py | ||
servroles.py | ||
setup.cfg | ||
setup.py | ||
topology.py | ||
wsgi.py |