> [root@cc21 ~]# ipa host-add --force afs-cellname.ipacloud.test > --------------------------------------- > Added host "afs-cellname.ipacloud.test" > --------------------------------------- > Host name: afs-cellname.ipacloud.test > Principal name: host/afs-cellname.ipacloud.t...@ipacloud.test > Password: False > Keytab: False > Managed by: afs-cellname.ipacloud.test ok, i have done a "ipa host-add --force afscellname (in my case equal to the domainname)" > [root@cc21 ~]# ipa service-add --force afs/afs-cellname > ---------------------------------------------- > Added service "afs/afs-celln...@ipacloud.test" > ---------------------------------------------- > Principal: afs/afs-celln...@ipacloud.test > Managed by: afs-cellname.ipacloud.test > [root@cc21 ~]# ipa service-show afs/afs-cellname > Principal: afs/afs-celln...@ipacloud.test > Keytab: False > Managed by: afs-cellname.ipacloud.test > [root@cc21 ~]# ipa-getkeytab -s `hostname` -p afs/afs-cellname -k > /tmp/afs.keytab Keytab successfully retrieved and stored in: > /tmp/afs.keytab ok, i have done a "ipa service-add --force afs/cellname (in my case equal to the domainname)" > > As you can see there is no problem at all -- all you need is to have a > host entry with the same name as afs-cellname. Note that the host > afs-cellname doesn't even need to exist in DNS. > > However, your primary problem would be in a different area. You'll need > to enable weak crypto at KDC server, Kerberos clients, and LDAP servers. > > krb5.conf (on both IPA masters and clients): > [libdefaults] > allow_weak_crypto = true done. > > /var/kerberos/krb5kdc/kdc.conf (on IPA masters): > [realms] > IPACLOUD.TEST = { > supported_enctypes = aes256-cts-hmac-sha1-96:normal > aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal > arcfour-hmac-md5:normal des-cbc-crc:v4 > } > done > Finally, you need to modify > cn=IPACLOUD.TEST,cn=kerberos,dc=ipacloud,dc=test > and add des-cbc-crc:v4 to supported Kerberos encryption types with > krbSupportedEncSaltTypes > attribute. You have to use ldapmodify as cn=Directory Manager for that > as we don't allow admins to modify these entries directly. i used the jexplorer to modify the entries. > > A simplified approach would be to use ipa-ldap-updater with your own > update file (which should have a name like <number>-<name>.update where > <number> is something between 01 and 90): > > [root@cc21 ~]# cat 20-weak-enctypes.update dn: > cn=$REALM,cn=kerberos,$SUFFIX > add: krbSupportedEncSaltTypes: des-cbc-crc:v4 > > [root@cc21 ~]# ipa-ldap-updater ./20-weak-enctypes.update Directory > Manager password: > Parsing update file './20-weak-enctypes.update' > Updating existing entry: > cn=IPACLOUD.TEST,cn=kerberos,dc=ipacloud,dc=test > Done > The ipa-ldap-updater command was successful > > Only after that you'll get ipa-getkeytab to generate weaker encryption > type-based keys. ok.
getprinc of the afs/cellname@REALM principal says: Key: vno 1, aes256-cts-hmac-sha1-96, no salt Key: vno 1, aes128-cts-hmac-sha1-96, no salt Key: vno 1, des3-cbc-sha1, no salt Key: vno 1, arcfour-hmac, no salt Key: vno 1, camellia128-cts-cmac, no salt Key: vno 1, camellia256-cts-cmac, no salt Key: vno 1, des-cbc-crc, no salt It looks like the single-des key was created. If i ask for a tgt and a afs/cellname@REALM tgs ticket with kinit and aklog (from OpenAFS) i only get an AES256 key, but none single-DES ticket. >From the client pc: kvno -e des-cbc-crc afs/cellname principal kvno: KDC has no support for encryption type while getting credentials for afs/cellname@REALM kvno -e aes256-cts afs/cellname principal afs/cellname@REALM: kvno = 1 > However, we have a problem in FreeIPA 4.x that an > attempt to force only a specific encryption type in ipa-getkeytab is > ignored and instead only enctypes from krbDefaultEncSaltTypes attribute > are generated. This bug is tracked with > https://fedorahosted.org/freeipa/ticket/4718 i use the FreeIPA 3.3.5 with Fedora on the single IPA Master. cheers, Andreas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project