Re: [OpenAFS] OpenAFS 1.6.5 on OSX

Sun, 26 Apr 2015 07:54:44 -0700 

On Apr 26, 2015, at 3:13 PM, Jeffrey Altman wrote:

> It means that the Kerberos library cannot find the KDCs for your realm
> via DNS SRV records or local configuration.

I'm no longer running a real DNS. Only DNSMasq. It's been enough
so far. But as you can see, i've setup the local config.

> I believe the correct system path for krb5.conf on OSX is
> /Library/Preferences/edu.mit.Kerberos

Not on my machine. /etc/krb5.conf existed before I started this
and init didn't work. So I added some entries (like default_realm
etc) to /etc/krb5.conf and then THAT worked as it was supposed
to.

> Do you really want proxiable tickets?

I used to. I took these configs from my server, which in turn
inherited a lot from my REAL KDC when that was running a couple
of years ago. I haven't reviewed all additions… Maybe should
remove that, thanx.

>>               dns_lookup_kdc = false
>>               dns_lookup_realm = false
> 
> DNS lookups are disabled.

Yes. On purpose (this time! :). That's why I need to specify
it in the file (further down).

>>               allow_weak_crypto = true
> 
> This is specified twice.

Oups, thanx!

> Note that OSX Yosemite doesn't support weak
> crypto under any circumstances and you must use non-DES keys for
> Kerberos to address OPENAFS-SA-2013-003

I noticed that on the Linux AFS clients as well. That what took
the Linux side(s) so long to work.

> Only OpenAFS 1.6.5 or later can be used with non-DES keys for OpenAFS.

I AM using 1.6.5… And 1.6.10 on the server. But I STILL couldn't
get it to work with any stronger. I had to use:

        kadmin.local -q "ank -randkey afs"
        kadmin.local -q "ktadd -e des-cbc-crc:v4 -k /etc/krb5.keytab.afs afs"

to get it to work at all...

>>      [login]
>>              krb4_convert = true
>>              krb4_get_tickets = false
> 
> kerberos 4 is dead.


I know. But initially I figured it couldn't reach the krb524 server
so I tried to enable K4. Didn't work either, and eventually I figured
that OpenAFS wouldn't include a Krb4-only aklog. Did you?
-- 
I love deadlines. I love the whooshing noise they
make as they go by.
- Douglas Adams

_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info

Reply via email to