[Freeipa-users] IPA + OpenAFS
Qing Chang
qchang at sri.utoronto.ca
Tue Jul 10 19:53:12 UTC 2012
please forgive me if this is a question that has been answered somewhere already.
I am almost finished setting up my first OpenAFS cell using IPA's KDC for
authentication but stumble on this error:
[root at smb1 ~]# fs setacl /afs system:anyuser rl
fs: You don't have the required access rights on '/afs'
A thread on OpenAFS mailing list suggests that it is because I have wrong salt
with my afs service key. The right one should be "des-cbc-crc:v4", but following fails
when I tried to cretae the keytab file:
====
[root at smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p
afs/openafs.sri.utoronto.ca at SRI.UTORONTO.CA --keytab /etc/afs.keytab -e des-cbc-crc:v4 -P
New Principal Password:
Verify Principal Password:
Bad or unsupported salt type (1)!
Failed to create key material
====
My IPA server kdc.conf file has this:
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
And the krb5.conf file on both IPA server and OpenAFS server has this:
allow_weak_crypto = true
Why does ipa-getkeytab fail here. Using both des-cbc-crc:normal and des-cbc-crc:afs3 works, but OpenAFS
does not like them.
Thanks,
Qing
--
------------------
Qing Chang
Senior Systems Administrator
M6-624 Research Computing
Sunnybrook Health Sciences Centre
2075 Bayview Ave.
Toronto, Ontario, M4N 3M5
(416) 480-6100 x3263
qchang at sri.utoronto.ca
------------------
More information about the Freeipa-users
mailing list