Hi, On Wed, Jul 11, 2012 at 3:04 PM, Qing Chang <qch...@sri.utoronto.ca> wrote: > I agree with you that OpenAFS should implement better enctype. I'll raise it > on their list. In the mean time, this is a block, do you have an estimate > how > long it takes to have the addition of v4 get into RHEL 6.3? I am asking > because > we are moving from LDAP+Kerberos+Smaba+Kerberized NFSv4 to IPA+OpenAFS > to our new infrastructure by end of July.
Is it really a block? I run IPA with OpenAFS. I used the kadmin utility to extract the keytab (I think - this was quite a while ago). The ipa-getkeytab utility is nice, but not required. Or am I missing something? > There is another issue, by convention OpenAFS service principal is created > as > afs/DOMAIN@REALM. IPA does not support creating a service principal without > first having a corresponding host principal, eg, afs/FQDN@REALM. Is it > possible > to add the flexibility in IPA to create an arbitrary service principal, > which can be > done with a standalone Kerberos KDC? Again, you don't have to use the IPA tools. You can use the Kerberos server tools. Dan > On 11/07/2012 2:24 PM, Simo Sorce wrote: >> >> On Wed, 2012-07-11 at 10:19 -0400, Qing Chang wrote: >>> >>> I think I do have it configured already: >>> ===== >>> krbSupportedEncSaltTypes: aes256-cts:normal >>> krbSupportedEncSaltTypes: aes256-cts:special >>> krbSupportedEncSaltTypes: aes128-cts:normal >>> krbSupportedEncSaltTypes: aes128-cts:special >>> krbSupportedEncSaltTypes: des3-hmac-sha1:normal >>> krbSupportedEncSaltTypes: des3-hmac-sha1:special >>> krbSupportedEncSaltTypes: arcfour-hmac:normal >>> krbSupportedEncSaltTypes: arcfour-hmac:special >>> krbSupportedEncSaltTypes: des-hmac-sha1:normal >>> krbSupportedEncSaltTypes: des-cbc-md5:normal >>> krbSupportedEncSaltTypes: des-cbc-crc:normal >>> krbSupportedEncSaltTypes: des-cbc-crc:v4 >>> krbSupportedEncSaltTypes: des-cbc-crc:afs3 >>> krbDefaultEncSaltTypes: aes256-cts:special >>> krbDefaultEncSaltTypes: aes128-cts:special >>> krbDefaultEncSaltTypes: des3-hmac-sha1:special >>> krbDefaultEncSaltTypes: arcfour-hmac:special >>> ===== >>> >>> As I mentioned, I can create keytabs with des-cbc-crc:normal and >>> des-cbc-crc:afs3, >>> but not with des-cbc-crc:v4, which is what OpenAFS uses. >>> >>> Qing >>> >>> On 11/07/2012 8:28 AM, Simo Sorce wrote: >>>> >>>> On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote: >>>>> >>>>> please forgive me if this is a question that has been answered >>>>> somewhere already. >>>>> >>>>> I am almost finished setting up my first OpenAFS cell using IPA's KDC >>>>> for >>>>> authentication but stumble on this error: >>>>> >>>>> [root@smb1 ~]# fs setacl /afs system:anyuser rl >>>>> fs: You don't have the required access rights on '/afs' >>>>> >>>>> A thread on OpenAFS mailing list suggests that it is because I have >>>>> wrong salt >>>>> with my afs service key. The right one should be "des-cbc-crc:v4", but >>>>> following fails >>>>> when I tried to cretae the keytab file: >>>>> ==== >>>>> [root@smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p >>>>> afs/openafs.sri.utoronto...@sri.utoronto.ca --keytab /etc/afs.keytab -e >>>>> des-cbc-crc:v4 -P >>>>> New Principal Password: >>>>> Verify Principal Password: >>>>> Bad or unsupported salt type (1)! >>>>> Failed to create key material >> >> OK, I just checkjed the code and found out that we do not support >> creating keys with the 'v4' salt type in the ipa code. >> >> I am not sure why I skipped that salt type when I coded it up. >> Probably because it is basically obsolete (and amounts to unsalted keys) >> and the only thing that still uses it is AFS which uses DES that is also >> a completely deprecated and insecure algorithm these days. >> >> Unfortunately it is not something that can be changed via some >> parameter, if this is really needed I can only suggest opening a ticket >> in freeipa trac instance. >> >> But can't AFS use some decent crypto these days, like AES ? >> >> Simo. >> >> > > -- > ------------------ > Qing Chang > Senior Systems Administrator > M6-624 Research Computing > Sunnybrook Health Sciences Centre > 2075 Bayview Ave. > Toronto, Ontario, M4N 3M5 > (416) 480-6100 x3263 > qch...@sri.utoronto.ca > ------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipaemail@example.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users