[Freeipa-users] IPA + OpenAFS

[Qing Chang]

I agree with you that OpenAFS should implement better enctype. I'll raise it
on their list. In the mean time, this is a block, do you have an estimate how
long it takes to have the addition of v4 get into RHEL 6.3? I am asking because
we are moving from LDAP+Kerberos+Smaba+Kerberized NFSv4 to IPA+OpenAFS
to our new infrastructure by end of July.

There is another issue, by convention OpenAFS service principal is created as
afs/DOMAIN at REALM. IPA does not support creating a service principal without
first having a corresponding host principal, eg, afs/FQDN at REALM. Is it possible
to add the flexibility in IPA to create an arbitrary service principal, which can be
done with a standalone Kerberos KDC?

I'll try to open a ticket for v4.

Many thanks,
Qing

On 11/07/2012 2:24 PM, Simo Sorce wrote:
> On Wed, 2012-07-11 at 10:19 -0400, Qing Chang wrote:
>> I think I do have it configured already:
>> =====
>> krbSupportedEncSaltTypes: aes256-cts:normal
>> krbSupportedEncSaltTypes: aes256-cts:special
>> krbSupportedEncSaltTypes: aes128-cts:normal
>> krbSupportedEncSaltTypes: aes128-cts:special
>> krbSupportedEncSaltTypes: des3-hmac-sha1:normal
>> krbSupportedEncSaltTypes: des3-hmac-sha1:special
>> krbSupportedEncSaltTypes: arcfour-hmac:normal
>> krbSupportedEncSaltTypes: arcfour-hmac:special
>> krbSupportedEncSaltTypes: des-hmac-sha1:normal
>> krbSupportedEncSaltTypes: des-cbc-md5:normal
>> krbSupportedEncSaltTypes: des-cbc-crc:normal
>> krbSupportedEncSaltTypes: des-cbc-crc:v4
>> krbSupportedEncSaltTypes: des-cbc-crc:afs3
>> krbDefaultEncSaltTypes: aes256-cts:special
>> krbDefaultEncSaltTypes: aes128-cts:special
>> krbDefaultEncSaltTypes: des3-hmac-sha1:special
>> krbDefaultEncSaltTypes: arcfour-hmac:special
>> =====
>>
>> As I mentioned, I can create keytabs with des-cbc-crc:normal and des-cbc-crc:afs3,
>> but not with des-cbc-crc:v4, which is what OpenAFS uses.
>>
>> Qing
>>
>> On 11/07/2012 8:28 AM, Simo Sorce wrote:
>>> On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote:
>>>> please forgive me if this is a question that has been answered somewhere already.
>>>>
>>>> I am almost finished setting up my first OpenAFS cell using IPA's KDC for
>>>> authentication but stumble on this error:
>>>>
>>>> [root at smb1 ~]# fs setacl /afs system:anyuser rl
>>>> fs: You don't have the required access rights on '/afs'
>>>>
>>>> A thread on OpenAFS mailing list suggests that it is because I have wrong salt
>>>> with my afs service key. The right one should be "des-cbc-crc:v4", but following fails
>>>> when I tried to cretae the keytab file:
>>>> ====
>>>> [root at smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p
>>>> afs/openafs.sri.utoronto.ca at SRI.UTORONTO.CA --keytab /etc/afs.keytab -e des-cbc-crc:v4 -P
>>>> New Principal Password:
>>>> Verify Principal Password:
>>>> Bad or unsupported salt type (1)!
>>>> Failed to create key material
> OK, I just checkjed the code and found out that we do not support
> creating keys with the 'v4' salt type in the ipa code.
>
> I am not sure why I skipped that salt type when I coded it up.
> Probably because it is basically obsolete (and amounts to unsalted keys)
> and the only thing that still uses it is AFS which uses DES that is also
> a completely deprecated and insecure algorithm these days.
>
> Unfortunately it is not something that can be changed via some
> parameter, if this is really needed I can only suggest opening a ticket
> in freeipa trac instance.
>
> But can't AFS use some decent crypto these days, like AES ?
>
> Simo.
>
>

-- 
------------------
Qing Chang
Senior Systems Administrator
M6-624 Research Computing
Sunnybrook Health Sciences Centre
2075 Bayview Ave.
Toronto, Ontario,  M4N 3M5
(416) 480-6100 x3263
qchang at sri.utoronto.ca
------------------