[Freeipa-users] FreeIPA Kerberos and Single-DES for OpenAFS

Mon Nov 17 13:31:39 UTC 2014

On 11/17/2014 07:59 AM, Andreas Ladanyi wrote:
>>>>> Hi,
>>>>>
>>>>> I set up the 389 LDAP server to support des-cbc-crc enctype.
>>>>>
>>>>> I created a principal for OpenAFS. OpenAFS need des-cbc-crc:v4
>>>>> (single-DES). I created the principal with:
>>>>>
>>>>> kadmin.local -x ipa-setup-override-restrictions
>>>> Please don't do this, use the ipa service-add and ipa-getkeytab
>>>> commands instead.
>>> I cant use ipa service-add, because for OpenAFS i need a service
>>> principal called:
>>>
>>> afs/cellname at REALM , the cellname could be any name. In my case the
>>> cellname is the same like the domainname.
>> [root at cc21 ~]# ipa host-add --force afs-cellname.ipacloud.test
>> ---------------------------------------
>> Added host "afs-cellname.ipacloud.test"
>> ---------------------------------------
>>   Host name: afs-cellname.ipacloud.test
>>   Principal name: host/afs-cellname.ipacloud.test at IPACLOUD.TEST
>>   Password: False
>>   Keytab: False
>>   Managed by: afs-cellname.ipacloud.test
>> [root at cc21 ~]# ipa service-add --force afs/afs-cellname
>> ----------------------------------------------
>> Added service "afs/afs-cellname at IPACLOUD.TEST"
>> ----------------------------------------------
>>   Principal: afs/afs-cellname at IPACLOUD.TEST
>>   Managed by: afs-cellname.ipacloud.test
>> [root at cc21 ~]# ipa service-show afs/afs-cellname
>>   Principal: afs/afs-cellname at IPACLOUD.TEST
>>   Keytab: False
>>   Managed by: afs-cellname.ipacloud.test
>> [root at cc21 ~]# ipa-getkeytab -s `hostname` -p afs/afs-cellname   -k
>> /tmp/afs.keytab Keytab successfully retrieved and stored in:
>> /tmp/afs.keytab
>>
>> As you can see there is no problem at all -- all you need is to have a
>> host entry with the same name as afs-cellname. Note that the host
>> afs-cellname doesn't even need to exist in DNS.
>>
>> However, your primary problem would be in a different area. You'll need
>> to enable weak crypto at KDC server, Kerberos clients, and LDAP servers.
>>
>> krb5.conf (on both IPA masters and clients):
>> [libdefaults]
>>   allow_weak_crypto = true
>>
>> /var/kerberos/krb5kdc/kdc.conf (on IPA masters):
>> [realms]
>> IPACLOUD.TEST = {
>>    supported_enctypes = aes256-cts-hmac-sha1-96:normal
>> aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal
>> arcfour-hmac-md5:normal des-cbc-crc:v4
>> }
>>
>> Finally, you need to modify
>> cn=IPACLOUD.TEST,cn=kerberos,dc=ipacloud,dc=test
>> and add des-cbc-crc:v4 to supported Kerberos encryption types with
>> krbSupportedEncSaltTypes
>> attribute. You have to use ldapmodify as cn=Directory Manager for that
>> as we don't allow admins to modify these entries directly.
>>
>> A simplified approach would be to use ipa-ldap-updater with your own
>> update file (which should have a name like <number>-<name>.update where
>> <number> is something between 01 and 90):
>>
>> [root at cc21 ~]# cat 20-weak-enctypes.update dn:
>> cn=$REALM,cn=kerberos,$SUFFIX
>> add: krbSupportedEncSaltTypes: des-cbc-crc:v4
>>
>> [root at cc21 ~]# ipa-ldap-updater ./20-weak-enctypes.update Directory
>> Manager password:
>> Parsing update file './20-weak-enctypes.update'
>> Updating existing entry:
>> cn=IPACLOUD.TEST,cn=kerberos,dc=ipacloud,dc=test
>> Done
>> The ipa-ldap-updater command was successful
>>
>> Only after that you'll get ipa-getkeytab to generate weaker encryption
>> type-based keys.
> Thats interesting. Now i can receive afs/cellname at REALM service tickets
> with des-cbc-crc and aes256 key on the client but only when i execute:
>
> kvno -e des-cbc-crc afs/cellname
>
> If i execute aklog to obtain an afs token from tgt i get a
> afs/cellname at REALM service ticket without des-cbc-crc key.

Are they using same krb5.conf?

>
>> However, we have a problem in FreeIPA 4.x that an
>> attempt to force only a specific encryption type in ipa-getkeytab is
>> ignored and instead only enctypes from krbDefaultEncSaltTypes attribute
>> are generated. This bug is tracked with
>> https://fedorahosted.org/freeipa/ticket/4718
>>

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.