On Tue, 11 Nov 2014 09:28:35 +0100 Andreas Ladanyi <[email protected]> wrote:
> No the token from aklog doesnt work fine. I could only list the user > directories (name of the users). I could not enter the user directories. > I couldnt enter my own directory. The AFS ID of the token is ok and > matches the owner uid of my user directory. Okay, that makes more sense; I wouldn't expect that to work, so I was a little confused. So the reason that aklog "works" in that situation is because using the IPA tool give you an AES key, amongst others. aklog then tries to use that AES key, which the KDC allows (since it's not "weak" crypto since it's not DES). But you don't have your cell configured to use AES keys, so the token doesn't actually work. On Tue, 11 Nov 2014 11:03:51 +0100 Andreas Ladanyi <[email protected]> wrote: > > Or change what enctype you request like so: > > > > $ kvno -e des-cbc-crc afs/CELL > > $ kvno -e aes256-hmac-cts afs/cell # this should _not_ work > kvno -e des-cbc-crc afs/cellname > kvno: KDC has no support for encryption type while getting credentials > for afs/cellname@Realm B (the new Realm on FreeIPA) > > kvno -e aes256-cts-hmac-sha1-96 afs/cellname > afs/cellname@Realm B: kvno = 1 Yes, so you need to resolve that before this will work with the KeyFile with single DES. However, I should note that since you're migrating to afs/cell@REALM_B, you have an opportunity to migrate to what is called "rxkad-k5", which allows AFS to use non-DES keys such as aes. Are you trying to avoid doing this, or were you maybe not aware that this exists? This might be easier for you to configure than trying to figure out what flags and settings and such you need to set in the KDC to let you use single DES; and of course, using non-DES is more secure and preferred. But you can only do this if all of your openafs servers are running 1.6.5 or newer; and if your KDC is refusing to use single-DES, you may have trouble using 'aklog' with clients that are older tahn 1.6.5. If you want to try that approach, turn DES _off_ for AFS on the REALM_B KDC, and extract a new keytab for afs/cell@REALM. Make sure that the kvnos in this keytab are different than any of the kvnos in your existing KeyFile. To install the new keytab, instead of using asetkey or doing anything with the 'KeyFile', just copy that keytab to /usr/afs/etc/rxkad.keytab (or equivalent location; put it in the same dir that the 'KeyFile' is). More information about this can be found here: <http://openafs.org/pages/security/install-rxkad-k5-1.6.txt> and here: <http://openafs.org/pages/security/how-to-rekey.txt>, but those documents are written with the idea of migrating existing cells and realms. You can sort-of follow the instructions for the "afs/cell Transition Procedure", since migrating to a new realm is somewhat similar. -- Andrew Deason [email protected] _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
