[Freeipa-users] FreeIPA Kerberos and Single-DES for OpenAFS
Petr Spacek
pspacek at redhat.com
Thu Nov 13 07:37:45 UTC 2014
On 13.11.2014 02:17, Simo Sorce wrote:
> On Wed, 12 Nov 2014 15:54:14 +0100
> Andreas Ladanyi <andreas.ladanyi at kit.edu> wrote:
>
>> Hi,
>>
>> I set up the 389 LDAP server to support des-cbc-crc enctype.
>>
>> I created a principal for OpenAFS. OpenAFS need des-cbc-crc:v4
>> (single-DES). I created the principal with:
>>
>> kadmin.local -x ipa-setup-override-restrictions
>
> Please don't do this, use the ipa service-add and ipa-getkeytab
> commands instead.
>
>> The result is:
>>
>> Principal: afs/cellname at Realm
>> Key: vno 1, des-cbc-crc, no salt
>> Key: vno 1, aes256-cts-hmac-sha1-96, no salt
>>
>> Seems like the principal was set correctly with single-des.
>>
>> I execute a "kinit username" and got my tgt.
>>
>> kvno -e des-cbc-crc afs/cellname
>> kvno: KDC has no support for encryption type while getting credentials
>> for afs/cellname at REALM
>>
>> kvno -e aes256-cts-hmac-sha1-96 afs/cellname
>> afs/cellname at PP.IPD.KIT.EDU: kvno = 1
>>
>> Iam wondering that i dont get a ticket with des-cbc-crc enctype from
>> FreeIPA Kerberos server.
>>
>> Any ideas ?
>
> des-cbc-crc is disabled at different levels, you need to set
It should be noted that there are very good reasons for disabling des-cbc-crc:
*It is completely insecure* and can be cracked easily!
> allow_weak_crypro = yes in krb5.conf to enabled use of DES algorithms
> at all.
> On the KDC however you also need to change the list of allowed
> enctypes in LDAP and in the KDC configuration file.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list