Re: [OpenAFS] Re: AFS + CrossRealm + FreeIPA + Migration

Tue, 11 Nov 2014 00:30:12 -0800 

> On Mon, 10 Nov 2014 10:09:54 +0100
> Andreas Ladanyi <[email protected]> wrote:
>
>> Now aklog works and i can get a AFS token. Why are all this keys
>> important for aklog ? Or which key exeptly the DES key is important ?
> That is indeed a bit puzzling; it's possible ipa-getkeytab does
> something else that makes this work, but I don't know enough about the
> details of what that does. I assume the tokens you get with 'aklog' work
> fine?
I also created a principal afs/cellname@REALM B with kadmin.local in
FreeIPA to test it without "ipa-getkeytab" FreeIPA tool:
ank -randkey -e des-cbc-crc:v4,aes256-cts:special afs/info.uni-karlsruhe.de

The result is:

Key: vno 1, des-cbc-crc, no salt
Key: vno 1, aes256-cts-hmac-sha1-96, no salt

klist -ef:

Valid starting       Expires              Service principal
11.11.2014 09:02:45  12.11.2014 09:02:42  krbtgt/REALM@REALM B ("the
FreeIPA Realm on the new kerberos/LDAP server")
    Flags: FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
11.11.2014 09:02:51  12.11.2014 09:02:42  afs/cellname@REALM B
    Flags: FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96


No the token from aklog doesnt work fine. I could only list the user
directories (name of the users). I could not enter the user directories.
I couldnt enter my own directory. The AFS ID of the token is ok and
matches the owner uid of my user directory.

Another thing is:

pts listentries on the Testclient PC:

Name                          ID  Owner Creator
pts: ticket contained unknown key version number ; unable to list entries
>
> What enctype is listed for the afs/cell@REALM principal if you run
> 'klist -ef' after you have a token? 
Valid starting       Expires              Service principal
11.11.2014 09:02:45  12.11.2014 09:02:42  krbtgt/REALM@REALM B ("the
FreeIPA Realm on the new kerberos/LDAP server")
    Flags: FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
11.11.2014 09:02:51  12.11.2014 09:02:42  afs/cellname@REALM B
    Flags: FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96

> What version of openafs is on the
> client where you're running 'aklog'?
>
Ubuntu 14.04, openafs-client 1.6.7-1

cheers,
Andreas

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to