On 12/07/2012 3:25 PM, Andrew Deason wrote:
On Thu, 12 Jul 2012 11:16:55 -0400
Qing Chang<[email protected]> wrote:
which says that I have to create a keyfile with des-cbc-crc:v4 salt,
after some struggle with IPA I finally created the keyfile with
des-cbc-crc:v4. It did not help, I still get the same error.
Did you just extract a keytab, or did you also add the key to the
KeyFile using 'asetkey'? This is described on the page 'Initializing
Cell Security' around step 7:
<http://docs.openafs.org/QuickStartUnix/ch02s14.html>.
I did use asetkey to add the key with thr right vno to KeyFile. But I was
wrong in assuming that I got a keytab with salt:
=====
kadmin.local: ktadd -e des-cbc-crc:v4 -k /tmp/openafs
afs/openafs.sri.utoronto.ca
Entry for principal afs/openafs.sri.utoronto.ca with kvno 20, encryption type des-cbc-crc added to
keytab WRFILE:/tmp/openafs.
kadmin.local: getprinc afs/openafs.sri.utoronto.ca
Principal: afs/[email protected]
Expiration date: [never]
Last password change: Thu Jul 12 15:08:16 EDT 2012
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Jul 12 15:08:16 EDT 2012 (admin/[email protected])
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 20, des-cbc-crc, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
=====
I am asking a solution on FreeIPA list to create a keytab with salt for cbc, in
the
mean time, does anyone know definitively if the keytab has to phave salt?
Thanks,
Qing
If you did actually create a KeyFile, you need to restart the server
processes for it to take effect. (Or 'touch' the server-side CellServDB
file.) You can run 'bos listkeys<server> -local' to show what keys the
server thinks it has (don't show this output to the list). You should
have at least one key listed if everything is set up correctly.
