> [root@cc21 ~]# ipa host-add --force afs-cellname.ipacloud.test
> ---------------------------------------
> Added host "afs-cellname.ipacloud.test"
> ---------------------------------------
> Host name: afs-cellname.ipacloud.test
> Principal name: host/afs-cellname.ipacloud.t...@ipacloud.test
> Password: False
> Keytab: False
> Managed by: afs-cellname.ipacloud.test
ok, i have done a "ipa host-add --force afscellname (in my case equal to
the domainname)"
> [root@cc21 ~]# ipa service-add --force afs/afs-cellname
> ----------------------------------------------
> Added service "afs/afs-celln...@ipacloud.test"
> ----------------------------------------------
> Principal: afs/afs-celln...@ipacloud.test
> Managed by: afs-cellname.ipacloud.test
> [root@cc21 ~]# ipa service-show afs/afs-cellname
> Principal: afs/afs-celln...@ipacloud.test
> Keytab: False
> Managed by: afs-cellname.ipacloud.test
> [root@cc21 ~]# ipa-getkeytab -s `hostname` -p afs/afs-cellname -k
> /tmp/afs.keytab Keytab successfully retrieved and stored in:
> /tmp/afs.keytab
ok, i have done a "ipa service-add --force afs/cellname (in my case
equal to the domainname)"
>
> As you can see there is no problem at all -- all you need is to have a
> host entry with the same name as afs-cellname. Note that the host
> afs-cellname doesn't even need to exist in DNS.
>
> However, your primary problem would be in a different area. You'll need
> to enable weak crypto at KDC server, Kerberos clients, and LDAP servers.
>
> krb5.conf (on both IPA masters and clients):
> [libdefaults]
> allow_weak_crypto = true
done.
>
> /var/kerberos/krb5kdc/kdc.conf (on IPA masters):
> [realms]
> IPACLOUD.TEST = {
> supported_enctypes = aes256-cts-hmac-sha1-96:normal
> aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal
> arcfour-hmac-md5:normal des-cbc-crc:v4
> }
>
done
> Finally, you need to modify
> cn=IPACLOUD.TEST,cn=kerberos,dc=ipacloud,dc=test
> and add des-cbc-crc:v4 to supported Kerberos encryption types with
> krbSupportedEncSaltTypes
> attribute. You have to use ldapmodify as cn=Directory Manager for that
> as we don't allow admins to modify these entries directly.
i used the jexplorer to modify the entries.
>
> A simplified approach would be to use ipa-ldap-updater with your own
> update file (which should have a name like <number>-<name>.update where
> <number> is something between 01 and 90):
>
> [root@cc21 ~]# cat 20-weak-enctypes.update dn:
> cn=$REALM,cn=kerberos,$SUFFIX
> add: krbSupportedEncSaltTypes: des-cbc-crc:v4
>
> [root@cc21 ~]# ipa-ldap-updater ./20-weak-enctypes.update Directory
> Manager password:
> Parsing update file './20-weak-enctypes.update'
> Updating existing entry:
> cn=IPACLOUD.TEST,cn=kerberos,dc=ipacloud,dc=test
> Done
> The ipa-ldap-updater command was successful
>
> Only after that you'll get ipa-getkeytab to generate weaker encryption
> type-based keys.
ok.
getprinc of the afs/cellname@REALM principal says:
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, aes128-cts-hmac-sha1-96, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, arcfour-hmac, no salt
Key: vno 1, camellia128-cts-cmac, no salt
Key: vno 1, camellia256-cts-cmac, no salt
Key: vno 1, des-cbc-crc, no salt
It looks like the single-des key was created.
If i ask for a tgt and a afs/cellname@REALM tgs ticket with kinit and
aklog (from OpenAFS) i only get an AES256 key, but none single-DES ticket.
>From the client pc:
kvno -e des-cbc-crc afs/cellname principal
kvno: KDC has no support for encryption type while getting credentials
for afs/cellname@REALM
kvno -e aes256-cts afs/cellname principal
afs/cellname@REALM: kvno = 1
> However, we have a problem in FreeIPA 4.x that an
> attempt to force only a specific encryption type in ipa-getkeytab is
> ignored and instead only enctypes from krbDefaultEncSaltTypes attribute
> are generated. This bug is tracked with
> https://fedorahosted.org/freeipa/ticket/4718
i use the FreeIPA 3.3.5 with Fedora on the single IPA Master.
cheers,
Andreas
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
