[Freeipa-users] IPA + OpenAFS

Simo Sorce simo at redhat.com
Thu Jul 12 20:31:45 UTC 2012 

On Thu, 2012-07-12 at 15:14 -0400, Qing Chang wrote:
> 
> On 11/07/2012 5:46 PM, Dmitri Pal wrote: 
> > On 07/11/2012 04:01 PM, Qing Chang wrote:
> > > 
> > > On 11/07/2012 3:23 PM, Simo Sorce wrote:
> > > > On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote:
> > > > > Because the integration of Kerberos in IPA, Kerberos tools can be used
> > > > > only in limited
> > > > > situations, when creating afs/DOMAIN at REALM with kadmin, I got this
> > > > > error:
> > > > > add_principal: Kerberos database constraints violated while creating
> > > > > "afs/DOMAIN at REALM"
> > > > > 
> > > > Use ipa service-add to add services, never use kadmin.local, it will not
> > > > work, we hard-coded failures in the DB driver to prevent users from
> > > > doing that as kadmin doesn't know where to put and how to properly fill
> > > > up objects.
> > > > 
> > > > However you can use kadmin.local on a pre-existing principal to obtain a
> > > > new keytab.
> > > > 
> > > > Simo.
> > > > 
> > > keytab with v4 salt was created successfully using kadmin,
> > > unfortunately OpenAFS
> > > still spit out th same error message:[root at smb1 ~]# fs setacl /afs
> > > system:anyuser rl
> > > fs: You don't have the required access rights on '/afs'
> > > 
> > > When --force was used with ipa servcie-add to created
> > > afs/DOMAIN at REALM, IPA
> > > still does not like the fact the is no host entry:
> > > [root at ipa2 tmp]# ipa service-add --force  afs/sri.utoronto.ca
> > > ipa: ERROR: The host 'sri.utoronto.ca' does not exist to add a service
> > > to.
> sorry for my ignorance, ktadd accepted -e des-cbc-crc:v4 but created
> keytab with no salt:
> =====
> kadmin.local:   ktadd -e des-cbc-crc:v4 -k /tmp/openafs
> afs/openafs.sri.utoronto.ca
> Entry for principal afs/openafs.sri.utoronto.ca with kvno 20,
> encryption type des-cbc-crc added to keytab WRFILE:/tmp/openafs.
> kadmin.local:  getprinc afs/openafs.sri.utoronto.ca
> Principal: afs/openafs.sri.utoronto.ca at SRI.UTORONTO.CA
> Expiration date: [never]
> Last password change: Thu Jul 12 15:08:16 EDT 2012
> Password expiration date: [none]
> Maximum ticket life: 1 day 00:00:00
> Maximum renewable life: 7 days 00:00:00
> Last modified: Thu Jul 12 15:08:16 EDT 2012
> (admin/admin at SRI.UTORONTO.CA)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 1
> Key: vno 20, des-cbc-crc, no salt
> MKey: vno 1
> Attributes: REQUIRES_PRE_AUTH
> Policy: [none]
> =====
> 
> I also tried ":normal" and ":afs3", no salts added for any types. Is
> the IPA
> code not doing it, or I am missing something?

v4 means 'no salt' afaik.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list