[Freeipa-users] IPA + OpenAFS
Dan Scott
danieljamesscott at gmail.com
Wed Jul 11 19:10:47 UTC 2012
Hi,
On Wed, Jul 11, 2012 at 3:04 PM, Qing Chang <qchang at sri.utoronto.ca> wrote:
> I agree with you that OpenAFS should implement better enctype. I'll raise it
> on their list. In the mean time, this is a block, do you have an estimate
> how
> long it takes to have the addition of v4 get into RHEL 6.3? I am asking
> because
> we are moving from LDAP+Kerberos+Smaba+Kerberized NFSv4 to IPA+OpenAFS
> to our new infrastructure by end of July.
Is it really a block? I run IPA with OpenAFS. I used the kadmin
utility to extract the keytab (I think - this was quite a while ago).
The ipa-getkeytab utility is nice, but not required. Or am I missing
something?
> There is another issue, by convention OpenAFS service principal is created
> as
> afs/DOMAIN at REALM. IPA does not support creating a service principal without
> first having a corresponding host principal, eg, afs/FQDN at REALM. Is it
> possible
> to add the flexibility in IPA to create an arbitrary service principal,
> which can be
> done with a standalone Kerberos KDC?
Again, you don't have to use the IPA tools. You can use the Kerberos
server tools.
Dan
> On 11/07/2012 2:24 PM, Simo Sorce wrote:
>>
>> On Wed, 2012-07-11 at 10:19 -0400, Qing Chang wrote:
>>>
>>> I think I do have it configured already:
>>> =====
>>> krbSupportedEncSaltTypes: aes256-cts:normal
>>> krbSupportedEncSaltTypes: aes256-cts:special
>>> krbSupportedEncSaltTypes: aes128-cts:normal
>>> krbSupportedEncSaltTypes: aes128-cts:special
>>> krbSupportedEncSaltTypes: des3-hmac-sha1:normal
>>> krbSupportedEncSaltTypes: des3-hmac-sha1:special
>>> krbSupportedEncSaltTypes: arcfour-hmac:normal
>>> krbSupportedEncSaltTypes: arcfour-hmac:special
>>> krbSupportedEncSaltTypes: des-hmac-sha1:normal
>>> krbSupportedEncSaltTypes: des-cbc-md5:normal
>>> krbSupportedEncSaltTypes: des-cbc-crc:normal
>>> krbSupportedEncSaltTypes: des-cbc-crc:v4
>>> krbSupportedEncSaltTypes: des-cbc-crc:afs3
>>> krbDefaultEncSaltTypes: aes256-cts:special
>>> krbDefaultEncSaltTypes: aes128-cts:special
>>> krbDefaultEncSaltTypes: des3-hmac-sha1:special
>>> krbDefaultEncSaltTypes: arcfour-hmac:special
>>> =====
>>>
>>> As I mentioned, I can create keytabs with des-cbc-crc:normal and
>>> des-cbc-crc:afs3,
>>> but not with des-cbc-crc:v4, which is what OpenAFS uses.
>>>
>>> Qing
>>>
>>> On 11/07/2012 8:28 AM, Simo Sorce wrote:
>>>>
>>>> On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote:
>>>>>
>>>>> please forgive me if this is a question that has been answered
>>>>> somewhere already.
>>>>>
>>>>> I am almost finished setting up my first OpenAFS cell using IPA's KDC
>>>>> for
>>>>> authentication but stumble on this error:
>>>>>
>>>>> [root at smb1 ~]# fs setacl /afs system:anyuser rl
>>>>> fs: You don't have the required access rights on '/afs'
>>>>>
>>>>> A thread on OpenAFS mailing list suggests that it is because I have
>>>>> wrong salt
>>>>> with my afs service key. The right one should be "des-cbc-crc:v4", but
>>>>> following fails
>>>>> when I tried to cretae the keytab file:
>>>>> ====
>>>>> [root at smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p
>>>>> afs/openafs.sri.utoronto.ca at SRI.UTORONTO.CA --keytab /etc/afs.keytab -e
>>>>> des-cbc-crc:v4 -P
>>>>> New Principal Password:
>>>>> Verify Principal Password:
>>>>> Bad or unsupported salt type (1)!
>>>>> Failed to create key material
>>
>> OK, I just checkjed the code and found out that we do not support
>> creating keys with the 'v4' salt type in the ipa code.
>>
>> I am not sure why I skipped that salt type when I coded it up.
>> Probably because it is basically obsolete (and amounts to unsalted keys)
>> and the only thing that still uses it is AFS which uses DES that is also
>> a completely deprecated and insecure algorithm these days.
>>
>> Unfortunately it is not something that can be changed via some
>> parameter, if this is really needed I can only suggest opening a ticket
>> in freeipa trac instance.
>>
>> But can't AFS use some decent crypto these days, like AES ?
>>
>> Simo.
>>
>>
>
> --
> ------------------
> Qing Chang
> Senior Systems Administrator
> M6-624 Research Computing
> Sunnybrook Health Sciences Centre
> 2075 Bayview Ave.
> Toronto, Ontario, M4N 3M5
> (416) 480-6100 x3263
> qchang at sri.utoronto.ca
> ------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list