[Freeipa-users] FreeIPA Kerberos and Single-DES for OpenAFS
Simo Sorce
simo at redhat.com
Thu Nov 13 01:17:45 UTC 2014
On Wed, 12 Nov 2014 15:54:14 +0100
Andreas Ladanyi <andreas.ladanyi at kit.edu> wrote:
> Hi,
>
> I set up the 389 LDAP server to support des-cbc-crc enctype.
>
> I created a principal for OpenAFS. OpenAFS need des-cbc-crc:v4
> (single-DES). I created the principal with:
>
> kadmin.local -x ipa-setup-override-restrictions
Please don't do this, use the ipa service-add and ipa-getkeytab
commands instead.
> The result is:
>
> Principal: afs/cellname at Realm
> Key: vno 1, des-cbc-crc, no salt
> Key: vno 1, aes256-cts-hmac-sha1-96, no salt
>
> Seems like the principal was set correctly with single-des.
>
> I execute a "kinit username" and got my tgt.
>
> kvno -e des-cbc-crc afs/cellname
> kvno: KDC has no support for encryption type while getting credentials
> for afs/cellname at REALM
>
> kvno -e aes256-cts-hmac-sha1-96 afs/cellname
> afs/cellname at PP.IPD.KIT.EDU: kvno = 1
>
> Iam wondering that i dont get a ticket with des-cbc-crc enctype from
> FreeIPA Kerberos server.
>
> Any ideas ?
des-cbc-crc is disabled at different levels, you need to set
allow_weak_crypro = yes in krb5.conf to enabled use of DES algorithms
at all.
On the KDC however you also need to change the list of allowed
enctypes in LDAP and in the KDC configuration file.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list