[Freeipa-users] IPA + OpenAFS
Qing Chang
qchang at sri.utoronto.ca
Wed Jul 11 14:19:57 UTC 2012
I think I do have it configured already:
=====
krbSupportedEncSaltTypes: aes256-cts:normal
krbSupportedEncSaltTypes: aes256-cts:special
krbSupportedEncSaltTypes: aes128-cts:normal
krbSupportedEncSaltTypes: aes128-cts:special
krbSupportedEncSaltTypes: des3-hmac-sha1:normal
krbSupportedEncSaltTypes: des3-hmac-sha1:special
krbSupportedEncSaltTypes: arcfour-hmac:normal
krbSupportedEncSaltTypes: arcfour-hmac:special
krbSupportedEncSaltTypes: des-hmac-sha1:normal
krbSupportedEncSaltTypes: des-cbc-md5:normal
krbSupportedEncSaltTypes: des-cbc-crc:normal
krbSupportedEncSaltTypes: des-cbc-crc:v4
krbSupportedEncSaltTypes: des-cbc-crc:afs3
krbDefaultEncSaltTypes: aes256-cts:special
krbDefaultEncSaltTypes: aes128-cts:special
krbDefaultEncSaltTypes: des3-hmac-sha1:special
krbDefaultEncSaltTypes: arcfour-hmac:special
=====
As I mentioned, I can create keytabs with des-cbc-crc:normal and des-cbc-crc:afs3,
but not with des-cbc-crc:v4, which is what OpenAFS uses.
Qing
On 11/07/2012 8:28 AM, Simo Sorce wrote:
> On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote:
>> please forgive me if this is a question that has been answered somewhere already.
>>
>> I am almost finished setting up my first OpenAFS cell using IPA's KDC for
>> authentication but stumble on this error:
>>
>> [root at smb1 ~]# fs setacl /afs system:anyuser rl
>> fs: You don't have the required access rights on '/afs'
>>
>> A thread on OpenAFS mailing list suggests that it is because I have wrong salt
>> with my afs service key. The right one should be "des-cbc-crc:v4", but following fails
>> when I tried to cretae the keytab file:
>> ====
>> [root at smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p
>> afs/openafs.sri.utoronto.ca at SRI.UTORONTO.CA --keytab /etc/afs.keytab -e des-cbc-crc:v4 -P
>> New Principal Password:
>> Verify Principal Password:
>> Bad or unsupported salt type (1)!
>> Failed to create key material
>> ====
>>
>> My IPA server kdc.conf file has this:
>> supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal
>> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
>>
>> And the krb5.conf file on both IPA server and OpenAFS server has this:
>> allow_weak_crypto = true
>>
>> Why does ipa-getkeytab fail here. Using both des-cbc-crc:normal and des-cbc-crc:afs3 works, but OpenAFS
>> does not like them.
> You need to change the supported enc types in LDAP for ipa to care.
> these attributes are in the cn=REALM_NAME,cn=kerberos,$suffix entry in
> ldap.
>
> Simo.
>
More information about the Freeipa-users
mailing list