On Mon, 17 Nov 2014 13:59:44 +0100
Andreas Ladanyi <andreas.lada...@kit.edu> wrote:

> >
> >>>> Hi,
> >>>>
> >>>> I set up the 389 LDAP server to support des-cbc-crc enctype.
> >>>>
> >>>> I created a principal for OpenAFS. OpenAFS need des-cbc-crc:v4
> >>>> (single-DES). I created the principal with:
> >>>>
> >>>> kadmin.local -x ipa-setup-override-restrictions
> >>> Please don't do this, use the ipa service-add and ipa-getkeytab
> >>> commands instead.
> >> I cant use ipa service-add, because for OpenAFS i need a service
> >> principal called:
> >>
> >> afs/cellname@REALM , the cellname could be any name. In my case the
> >> cellname is the same like the domainname.
> > [root@cc21 ~]# ipa host-add --force afs-cellname.ipacloud.test
> > ---------------------------------------
> > Added host "afs-cellname.ipacloud.test"
> > ---------------------------------------
> >  Host name: afs-cellname.ipacloud.test
> >  Principal name: host/afs-cellname.ipacloud.t...@ipacloud.test
> >  Password: False
> >  Keytab: False
> >  Managed by: afs-cellname.ipacloud.test
> > [root@cc21 ~]# ipa service-add --force afs/afs-cellname
> > ----------------------------------------------
> > Added service "afs/afs-celln...@ipacloud.test"
> > ----------------------------------------------
> >  Principal: afs/afs-celln...@ipacloud.test
> >  Managed by: afs-cellname.ipacloud.test
> > [root@cc21 ~]# ipa service-show afs/afs-cellname
> >  Principal: afs/afs-celln...@ipacloud.test
> >  Keytab: False
> >  Managed by: afs-cellname.ipacloud.test
> > [root@cc21 ~]# ipa-getkeytab -s `hostname` -p afs/afs-cellname   -k
> > /tmp/afs.keytab Keytab successfully retrieved and stored in:
> > /tmp/afs.keytab
> >
> > As you can see there is no problem at all -- all you need is to
> > have a host entry with the same name as afs-cellname. Note that the
> > host afs-cellname doesn't even need to exist in DNS.
> >
> > However, your primary problem would be in a different area. You'll
> > need to enable weak crypto at KDC server, Kerberos clients, and
> > LDAP servers.
> >
> > krb5.conf (on both IPA masters and clients):
> > [libdefaults]
> >  allow_weak_crypto = true
> >
> > /var/kerberos/krb5kdc/kdc.conf (on IPA masters):
> > [realms]
> > IPACLOUD.TEST = {
> >   supported_enctypes = aes256-cts-hmac-sha1-96:normal
> > aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal
> > arcfour-hmac-md5:normal des-cbc-crc:v4
> > }
> >
> > Finally, you need to modify
> > cn=IPACLOUD.TEST,cn=kerberos,dc=ipacloud,dc=test
> > and add des-cbc-crc:v4 to supported Kerberos encryption types with
> > krbSupportedEncSaltTypes
> > attribute. You have to use ldapmodify as cn=Directory Manager for
> > that as we don't allow admins to modify these entries directly.
> >
> > A simplified approach would be to use ipa-ldap-updater with your own
> > update file (which should have a name like <number>-<name>.update
> > where <number> is something between 01 and 90):
> >
> > [root@cc21 ~]# cat 20-weak-enctypes.update dn:
> > cn=$REALM,cn=kerberos,$SUFFIX
> > add: krbSupportedEncSaltTypes: des-cbc-crc:v4
> >
> > [root@cc21 ~]# ipa-ldap-updater ./20-weak-enctypes.update Directory
> > Manager password:
> > Parsing update file './20-weak-enctypes.update'
> > Updating existing entry:
> > cn=IPACLOUD.TEST,cn=kerberos,dc=ipacloud,dc=test
> > Done
> > The ipa-ldap-updater command was successful
> >
> > Only after that you'll get ipa-getkeytab to generate weaker
> > encryption type-based keys. 
> 
> Thats interesting. Now i can receive afs/cellname@REALM service
> tickets with des-cbc-crc and aes256 key on the client but only when i
> execute:
> 
> kvno -e des-cbc-crc afs/cellname
> 
> If i execute aklog to obtain an afs token from tgt i get a
> afs/cellname@REALM service ticket without des-cbc-crc key.

This is probably because you got all default enctypes in the key, so
the KDC is sending you a ticket with the strongest keytype for which it
has a shared key with the service.

> > However, we have a problem in FreeIPA 4.x that an
> > attempt to force only a specific encryption type in ipa-getkeytab is
> > ignored and instead only enctypes from krbDefaultEncSaltTypes
> > attribute are generated. This bug is tracked with
> > https://fedorahosted.org/freeipa/ticket/4718

This is the bug that is causing your last issue ^^

One way around it is to use an older ipa-getkeytab binary (like the one
on RHEL 6) that uses the old setkeytab control.

We are working on a fix upstream and will land it asap.

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to