On 11/17/2014 07:59 AM, Andreas Ladanyi wrote:

I set up the 389 LDAP server to support des-cbc-crc enctype.

I created a principal for OpenAFS. OpenAFS need des-cbc-crc:v4
(single-DES). I created the principal with:

kadmin.local -x ipa-setup-override-restrictions
Please don't do this, use the ipa service-add and ipa-getkeytab
commands instead.
I cant use ipa service-add, because for OpenAFS i need a service
principal called:

afs/cellname@REALM , the cellname could be any name. In my case the
cellname is the same like the domainname.
[root@cc21 ~]# ipa host-add --force afs-cellname.ipacloud.test
Added host "afs-cellname.ipacloud.test"
  Host name: afs-cellname.ipacloud.test
  Principal name: host/afs-cellname.ipacloud.t...@ipacloud.test
  Password: False
  Keytab: False
  Managed by: afs-cellname.ipacloud.test
[root@cc21 ~]# ipa service-add --force afs/afs-cellname
Added service "afs/afs-celln...@ipacloud.test"
  Principal: afs/afs-celln...@ipacloud.test
  Managed by: afs-cellname.ipacloud.test
[root@cc21 ~]# ipa service-show afs/afs-cellname
  Principal: afs/afs-celln...@ipacloud.test
  Keytab: False
  Managed by: afs-cellname.ipacloud.test
[root@cc21 ~]# ipa-getkeytab -s `hostname` -p afs/afs-cellname   -k
/tmp/afs.keytab Keytab successfully retrieved and stored in:

As you can see there is no problem at all -- all you need is to have a
host entry with the same name as afs-cellname. Note that the host
afs-cellname doesn't even need to exist in DNS.

However, your primary problem would be in a different area. You'll need
to enable weak crypto at KDC server, Kerberos clients, and LDAP servers.

krb5.conf (on both IPA masters and clients):
  allow_weak_crypto = true

/var/kerberos/krb5kdc/kdc.conf (on IPA masters):
   supported_enctypes = aes256-cts-hmac-sha1-96:normal
aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal
arcfour-hmac-md5:normal des-cbc-crc:v4

Finally, you need to modify
and add des-cbc-crc:v4 to supported Kerberos encryption types with
attribute. You have to use ldapmodify as cn=Directory Manager for that
as we don't allow admins to modify these entries directly.

A simplified approach would be to use ipa-ldap-updater with your own
update file (which should have a name like <number>-<name>.update where
<number> is something between 01 and 90):

[root@cc21 ~]# cat 20-weak-enctypes.update dn:
add: krbSupportedEncSaltTypes: des-cbc-crc:v4

[root@cc21 ~]# ipa-ldap-updater ./20-weak-enctypes.update Directory
Manager password:
Parsing update file './20-weak-enctypes.update'
Updating existing entry:
The ipa-ldap-updater command was successful

Only after that you'll get ipa-getkeytab to generate weaker encryption
type-based keys.
Thats interesting. Now i can receive afs/cellname@REALM service tickets
with des-cbc-crc and aes256 key on the client but only when i execute:

kvno -e des-cbc-crc afs/cellname

If i execute aklog to obtain an afs token from tgt i get a
afs/cellname@REALM service ticket without des-cbc-crc key.

Are they using same krb5.conf?

However, we have a problem in FreeIPA 4.x that an
attempt to force only a specific encryption type in ipa-getkeytab is
ignored and instead only enctypes from krbDefaultEncSaltTypes attribute
are generated. This bug is tracked with

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to