[Freeipa-users] IPA + OpenAFS
Simo Sorce
simo at redhat.com
Wed Jul 11 12:28:05 UTC 2012
On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote:
> please forgive me if this is a question that has been answered somewhere already.
>
> I am almost finished setting up my first OpenAFS cell using IPA's KDC for
> authentication but stumble on this error:
>
> [root at smb1 ~]# fs setacl /afs system:anyuser rl
> fs: You don't have the required access rights on '/afs'
>
> A thread on OpenAFS mailing list suggests that it is because I have wrong salt
> with my afs service key. The right one should be "des-cbc-crc:v4", but following fails
> when I tried to cretae the keytab file:
> ====
> [root at smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p
> afs/openafs.sri.utoronto.ca at SRI.UTORONTO.CA --keytab /etc/afs.keytab -e des-cbc-crc:v4 -P
> New Principal Password:
> Verify Principal Password:
> Bad or unsupported salt type (1)!
> Failed to create key material
> ====
>
> My IPA server kdc.conf file has this:
> supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal
> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
>
> And the krb5.conf file on both IPA server and OpenAFS server has this:
> allow_weak_crypto = true
>
> Why does ipa-getkeytab fail here. Using both des-cbc-crc:normal and des-cbc-crc:afs3 works, but OpenAFS
> does not like them.
You need to change the supported enc types in LDAP for ipa to care.
these attributes are in the cn=REALM_NAME,cn=kerberos,$suffix entry in
ldap.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list