[Freeipa-users] IPA + OpenAFS

Dmitri Pal dpal at redhat.com
Wed Jul 11 18:12:34 UTC 2012


On 07/11/2012 10:19 AM, Qing Chang wrote:
> I think I do have it configured already:
> =====
> krbSupportedEncSaltTypes: aes256-cts:normal
> krbSupportedEncSaltTypes: aes256-cts:special
> krbSupportedEncSaltTypes: aes128-cts:normal
> krbSupportedEncSaltTypes: aes128-cts:special
> krbSupportedEncSaltTypes: des3-hmac-sha1:normal
> krbSupportedEncSaltTypes: des3-hmac-sha1:special
> krbSupportedEncSaltTypes: arcfour-hmac:normal
> krbSupportedEncSaltTypes: arcfour-hmac:special
> krbSupportedEncSaltTypes: des-hmac-sha1:normal
> krbSupportedEncSaltTypes: des-cbc-md5:normal
> krbSupportedEncSaltTypes: des-cbc-crc:normal
> krbSupportedEncSaltTypes: des-cbc-crc:v4
> krbSupportedEncSaltTypes: des-cbc-crc:afs3
> krbDefaultEncSaltTypes: aes256-cts:special
> krbDefaultEncSaltTypes: aes128-cts:special
> krbDefaultEncSaltTypes: des3-hmac-sha1:special
> krbDefaultEncSaltTypes: arcfour-hmac:special
> =====
>
> As I mentioned, I can create keytabs with des-cbc-crc:normal and
> des-cbc-crc:afs3,
> but not with des-cbc-crc:v4, which is what OpenAFS uses.


Is there anything in the Kerberos logs on the server?

>
> Qing
>
> On 11/07/2012 8:28 AM, Simo Sorce wrote:
>> On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote:
>>> please forgive me if this is a question that has been answered
>>> somewhere already.
>>>
>>> I am almost finished setting up my first OpenAFS cell using IPA's
>>> KDC for
>>> authentication but stumble on this error:
>>>
>>> [root at smb1 ~]# fs setacl /afs system:anyuser rl
>>> fs: You don't have the required access rights on '/afs'
>>>
>>> A thread on OpenAFS mailing list suggests that it is because I have
>>> wrong salt
>>> with my afs service key. The right one should be "des-cbc-crc:v4",
>>> but following fails
>>> when I tried to cretae the keytab file:
>>> ====
>>> [root at smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p
>>> afs/openafs.sri.utoronto.ca at SRI.UTORONTO.CA --keytab /etc/afs.keytab
>>> -e des-cbc-crc:v4 -P
>>> New Principal Password:
>>> Verify Principal Password:
>>> Bad or unsupported salt type (1)!
>>> Failed to create key material
>>> ====
>>>
>>> My IPA server kdc.conf file has this:
>>> supported_enctypes = aes256-cts:normal aes128-cts:normal
>>> des3-hmac-sha1:normal arcfour-hmac:normal
>>> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
>>> des-cbc-crc:v4 des-cbc-crc:afs3
>>>
>>> And the krb5.conf file on both IPA server and OpenAFS server has this:
>>> allow_weak_crypto = true
>>>
>>> Why does ipa-getkeytab fail here. Using both des-cbc-crc:normal and
>>> des-cbc-crc:afs3 works, but OpenAFS
>>> does not like them.
>> You need to change the supported enc types in LDAP for ipa to care.
>> these attributes are in the cn=REALM_NAME,cn=kerberos,$suffix entry in
>> ldap.
>>
>> Simo.
>>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/






More information about the Freeipa-users mailing list