[Freeipa-users] IPA + OpenAFS

Qing Chang qchang at sri.utoronto.ca
Wed Jul 11 19:21:18 UTC 2012 


On 11/07/2012 3:10 PM, Dan Scott wrote:
> Hi,
>
> On Wed, Jul 11, 2012 at 3:04 PM, Qing Chang<qchang at sri.utoronto.ca>  wrote:
>> I agree with you that OpenAFS should implement better enctype. I'll raise it
>> on their list. In the mean time, this is a block, do you have an estimate
>> how
>> long it takes to have the addition of v4 get into RHEL 6.3? I am asking
>> because
>> we are moving from LDAP+Kerberos+Smaba+Kerberized NFSv4 to IPA+OpenAFS
>> to our new infrastructure by end of July.
> Is it really a block? I run IPA with OpenAFS. I used the kadmin
> utility to extract the keytab (I think - this was quite a while ago).
> The ipa-getkeytab utility is nice, but not required. Or am I missing
> something?
Because the integration of Kerberos in IPA, Kerberos tools can be used only in limited
situations, when creating afs/DOMAIN at REALM with kadmin, I got this error:
add_principal: Kerberos database constraints violated while creating "afs/DOMAIN at REALM"

>> There is another issue, by convention OpenAFS service principal is created
>> as
>> afs/DOMAIN at REALM. IPA does not support creating a service principal without
>> first having a corresponding host principal, eg, afs/FQDN at REALM. Is it
>> possible
>> to add the flexibility in IPA to create an arbitrary service principal,
>> which can be
>> done with a standalone Kerberos KDC?
> Again, you don't have to use the IPA tools. You can use the Kerberos
> server tools.
>
> Dan
>
>> On 11/07/2012 2:24 PM, Simo Sorce wrote:
>>> On Wed, 2012-07-11 at 10:19 -0400, Qing Chang wrote:
>>>> I think I do have it configured already:
>>>> =====
>>>> krbSupportedEncSaltTypes: aes256-cts:normal
>>>> krbSupportedEncSaltTypes: aes256-cts:special
>>>> krbSupportedEncSaltTypes: aes128-cts:normal
>>>> krbSupportedEncSaltTypes: aes128-cts:special
>>>> krbSupportedEncSaltTypes: des3-hmac-sha1:normal
>>>> krbSupportedEncSaltTypes: des3-hmac-sha1:special
>>>> krbSupportedEncSaltTypes: arcfour-hmac:normal
>>>> krbSupportedEncSaltTypes: arcfour-hmac:special
>>>> krbSupportedEncSaltTypes: des-hmac-sha1:normal
>>>> krbSupportedEncSaltTypes: des-cbc-md5:normal
>>>> krbSupportedEncSaltTypes: des-cbc-crc:normal
>>>> krbSupportedEncSaltTypes: des-cbc-crc:v4
>>>> krbSupportedEncSaltTypes: des-cbc-crc:afs3
>>>> krbDefaultEncSaltTypes: aes256-cts:special
>>>> krbDefaultEncSaltTypes: aes128-cts:special
>>>> krbDefaultEncSaltTypes: des3-hmac-sha1:special
>>>> krbDefaultEncSaltTypes: arcfour-hmac:special
>>>> =====
>>>>
>>>> As I mentioned, I can create keytabs with des-cbc-crc:normal and
>>>> des-cbc-crc:afs3,
>>>> but not with des-cbc-crc:v4, which is what OpenAFS uses.
>>>>
>>>> Qing
>>>>
>>>> On 11/07/2012 8:28 AM, Simo Sorce wrote:
>>>>> On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote:
>>>>>> please forgive me if this is a question that has been answered
>>>>>> somewhere already.
>>>>>>
>>>>>> I am almost finished setting up my first OpenAFS cell using IPA's KDC
>>>>>> for
>>>>>> authentication but stumble on this error:
>>>>>>
>>>>>> [root at smb1 ~]# fs setacl /afs system:anyuser rl
>>>>>> fs: You don't have the required access rights on '/afs'
>>>>>>
>>>>>> A thread on OpenAFS mailing list suggests that it is because I have
>>>>>> wrong salt
>>>>>> with my afs service key. The right one should be "des-cbc-crc:v4", but
>>>>>> following fails
>>>>>> when I tried to cretae the keytab file:
>>>>>> ====
>>>>>> [root at smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p
>>>>>> afs/openafs.sri.utoronto.ca at SRI.UTORONTO.CA --keytab /etc/afs.keytab -e
>>>>>> des-cbc-crc:v4 -P
>>>>>> New Principal Password:
>>>>>> Verify Principal Password:
>>>>>> Bad or unsupported salt type (1)!
>>>>>> Failed to create key material
>>> OK, I just checkjed the code and found out that we do not support
>>> creating keys with the 'v4' salt type in the ipa code.
>>>
>>> I am not sure why I skipped that salt type when I coded it up.
>>> Probably because it is basically obsolete (and amounts to unsalted keys)
>>> and the only thing that still uses it is AFS which uses DES that is also
>>> a completely deprecated and insecure algorithm these days.
>>>
>>> Unfortunately it is not something that can be changed via some
>>> parameter, if this is really needed I can only suggest opening a ticket
>>> in freeipa trac instance.
>>>
>>> But can't AFS use some decent crypto these days, like AES ?
>>>
>>> Simo.
>>>
>>>
>> --
>> ------------------
>> Qing Chang
>> Senior Systems Administrator
>> M6-624 Research Computing
>> Sunnybrook Health Sciences Centre
>> 2075 Bayview Ave.
>> Toronto, Ontario,  M4N 3M5
>> (416) 480-6100 x3263
>> qchang at sri.utoronto.ca
>> ------------------
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
------------------
Qing Chang
Senior Systems Administrator
M6-624 Research Computing
Sunnybrook Health Sciences Centre
2075 Bayview Ave.
Toronto, Ontario,  M4N 3M5
(416) 480-6100 x3263
qchang at sri.utoronto.ca
------------------

More information about the Freeipa-users mailing list