Re: [Freeipa-users] IPA + OpenAFS
On Thu, 2012-07-12 at 15:14 -0400, Qing Chang wrote: > > On 11/07/2012 5:46 PM, Dmitri Pal wrote: > > On 07/11/2012 04:01 PM, Qing Chang wrote: > > > > > > On 11/07/2012 3:23 PM, Simo Sorce wrote: > > > > On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote: > > > > > Because the integration of Kerberos in IPA, Kerberos tools can be used > > > > > only in limited > > > > > situations, when creating afs/DOMAIN@REALM with kadmin, I got this > > > > > error: > > > > > add_principal: Kerberos database constraints violated while creating > > > > > "afs/DOMAIN@REALM" > > > > > > > > > Use ipa service-add to add services, never use kadmin.local, it will not > > > > work, we hard-coded failures in the DB driver to prevent users from > > > > doing that as kadmin doesn't know where to put and how to properly fill > > > > up objects. > > > > > > > > However you can use kadmin.local on a pre-existing principal to obtain a > > > > new keytab. > > > > > > > > Simo. > > > > > > > keytab with v4 salt was created successfully using kadmin, > > > unfortunately OpenAFS > > > still spit out th same error message:[root@smb1 ~]# fs setacl /afs > > > system:anyuser rl > > > fs: You don't have the required access rights on '/afs' > > > > > > When --force was used with ipa servcie-add to created > > > afs/DOMAIN@REALM, IPA > > > still does not like the fact the is no host entry: > > > [root@ipa2 tmp]# ipa service-add --force afs/sri.utoronto.ca > > > ipa: ERROR: The host 'sri.utoronto.ca' does not exist to add a service > > > to. > sorry for my ignorance, ktadd accepted -e des-cbc-crc:v4 but created > keytab with no salt: > = > kadmin.local: ktadd -e des-cbc-crc:v4 -k /tmp/openafs > afs/openafs.sri.utoronto.ca > Entry for principal afs/openafs.sri.utoronto.ca with kvno 20, > encryption type des-cbc-crc added to keytab WRFILE:/tmp/openafs. > kadmin.local: getprinc afs/openafs.sri.utoronto.ca > Principal: afs/openafs.sri.utoronto...@sri.utoronto.ca > Expiration date: [never] > Last password change: Thu Jul 12 15:08:16 EDT 2012 > Password expiration date: [none] > Maximum ticket life: 1 day 00:00:00 > Maximum renewable life: 7 days 00:00:00 > Last modified: Thu Jul 12 15:08:16 EDT 2012 > (admin/ad...@sri.utoronto.ca) > Last successful authentication: [never] > Last failed authentication: [never] > Failed password attempts: 0 > Number of keys: 1 > Key: vno 20, des-cbc-crc, no salt > MKey: vno 1 > Attributes: REQUIRES_PRE_AUTH > Policy: [none] > = > > I also tried ":normal" and ":afs3", no salts added for any types. Is > the IPA > code not doing it, or I am missing something? v4 means 'no salt' afaik. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA + OpenAFS
On 11/07/2012 5:46 PM, Dmitri Pal wrote: On 07/11/2012 04:01 PM, Qing Chang wrote: On 11/07/2012 3:23 PM, Simo Sorce wrote: On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote: Because the integration of Kerberos in IPA, Kerberos tools can be used only in limited situations, when creating afs/DOMAIN@REALM with kadmin, I got this error: add_principal: Kerberos database constraints violated while creating "afs/DOMAIN@REALM" Use ipa service-add to add services, never use kadmin.local, it will not work, we hard-coded failures in the DB driver to prevent users from doing that as kadmin doesn't know where to put and how to properly fill up objects. However you can use kadmin.local on a pre-existing principal to obtain a new keytab. Simo. keytab with v4 salt was created successfully using kadmin, unfortunately OpenAFS still spit out th same error message:[root@smb1 ~]# fs setacl /afs system:anyuser rl fs: You don't have the required access rights on '/afs' When --force was used with ipa servcie-add to created afs/DOMAIN@REALM, IPA still does not like the fact the is no host entry: [root@ipa2 tmp]# ipa service-add --force afs/sri.utoronto.ca ipa: ERROR: The host 'sri.utoronto.ca' does not exist to add a service to. sorry for my ignorance, ktadd accepted -e des-cbc-crc:v4 but created keytab with no salt: = kadmin.local: ktadd -e des-cbc-crc:v4 -k /tmp/openafs afs/openafs.sri.utoronto.ca Entry for principal afs/openafs.sri.utoronto.ca with kvno 20, encryption type des-cbc-crc added to keytab WRFILE:/tmp/openafs. kadmin.local: getprinc afs/openafs.sri.utoronto.ca Principal: afs/openafs.sri.utoronto...@sri.utoronto.ca Expiration date: [never] Last password change: Thu Jul 12 15:08:16 EDT 2012 Password expiration date: [none] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Thu Jul 12 15:08:16 EDT 2012 (admin/ad...@sri.utoronto.ca) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 1 Key: vno 20, des-cbc-crc, no salt MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: [none] = I also tried ":normal" and ":afs3", no salts added for any types. Is the IPA code not doing it, or I am missing something? Thanks, Qing Is there any problem of adding host entries into IPA? ipa host-add will create a host entry. It is not mean that you have to do something else with it. Thanks, Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA + OpenAFS
On 11/07/2012 5:46 PM, Dmitri Pal wrote: On 07/11/2012 04:01 PM, Qing Chang wrote: On 11/07/2012 3:23 PM, Simo Sorce wrote: On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote: Because the integration of Kerberos in IPA, Kerberos tools can be used only in limited situations, when creating afs/DOMAIN@REALM with kadmin, I got this error: add_principal: Kerberos database constraints violated while creating "afs/DOMAIN@REALM" Use ipa service-add to add services, never use kadmin.local, it will not work, we hard-coded failures in the DB driver to prevent users from doing that as kadmin doesn't know where to put and how to properly fill up objects. However you can use kadmin.local on a pre-existing principal to obtain a new keytab. Simo. keytab with v4 salt was created successfully using kadmin, unfortunately OpenAFS still spit out th same error message:[root@smb1 ~]# fs setacl /afs system:anyuser rl fs: You don't have the required access rights on '/afs' When --force was used with ipa servcie-add to created afs/DOMAIN@REALM, IPA still does not like the fact the is no host entry: [root@ipa2 tmp]# ipa service-add --force afs/sri.utoronto.ca ipa: ERROR: The host 'sri.utoronto.ca' does not exist to add a service to. Is there any problem of adding host entries into IPA? ipa host-add will create a host entry. It is not mean that you have to do something else with it. I have no problem creating host entries in IPA. It looks like IPA does assume a service principal has to have a corresponding host principal, which is reasonable in normal circumstances. Now that I have created keytab with v4 successfully, it may have become an issue that I have to raise on OpenAFS list. Thanks, Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA + OpenAFS
On 07/11/2012 04:01 PM, Qing Chang wrote: > > > On 11/07/2012 3:23 PM, Simo Sorce wrote: >> On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote: >>> Because the integration of Kerberos in IPA, Kerberos tools can be used >>> only in limited >>> situations, when creating afs/DOMAIN@REALM with kadmin, I got this >>> error: >>> add_principal: Kerberos database constraints violated while creating >>> "afs/DOMAIN@REALM" >>> >> Use ipa service-add to add services, never use kadmin.local, it will not >> work, we hard-coded failures in the DB driver to prevent users from >> doing that as kadmin doesn't know where to put and how to properly fill >> up objects. >> >> However you can use kadmin.local on a pre-existing principal to obtain a >> new keytab. >> >> Simo. >> > keytab with v4 salt was created successfully using kadmin, > unfortunately OpenAFS > still spit out th same error message:[root@smb1 ~]# fs setacl /afs > system:anyuser rl > fs: You don't have the required access rights on '/afs' > > When --force was used with ipa servcie-add to created > afs/DOMAIN@REALM, IPA > still does not like the fact the is no host entry: > [root@ipa2 tmp]# ipa service-add --force afs/sri.utoronto.ca > ipa: ERROR: The host 'sri.utoronto.ca' does not exist to add a service > to. Is there any problem of adding host entries into IPA? ipa host-add will create a host entry. It is not mean that you have to do something else with it. > > Thanks, > Qing > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA + OpenAFS
On 11/07/2012 3:23 PM, Simo Sorce wrote: On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote: Because the integration of Kerberos in IPA, Kerberos tools can be used only in limited situations, when creating afs/DOMAIN@REALM with kadmin, I got this error: add_principal: Kerberos database constraints violated while creating "afs/DOMAIN@REALM" Use ipa service-add to add services, never use kadmin.local, it will not work, we hard-coded failures in the DB driver to prevent users from doing that as kadmin doesn't know where to put and how to properly fill up objects. However you can use kadmin.local on a pre-existing principal to obtain a new keytab. Simo. keytab with v4 salt was created successfully using kadmin, unfortunately OpenAFS still spit out th same error message:[root@smb1 ~]# fs setacl /afs system:anyuser rl fs: You don't have the required access rights on '/afs' When --force was used with ipa servcie-add to created afs/DOMAIN@REALM, IPA still does not like the fact the is no host entry: [root@ipa2 tmp]# ipa service-add --force afs/sri.utoronto.ca ipa: ERROR: The host 'sri.utoronto.ca' does not exist to add a service to. Thanks, Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA + OpenAFS
On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote: > Because the integration of Kerberos in IPA, Kerberos tools can be used > only in limited > situations, when creating afs/DOMAIN@REALM with kadmin, I got this > error: > add_principal: Kerberos database constraints violated while creating > "afs/DOMAIN@REALM" > Use ipa service-add to add services, never use kadmin.local, it will not work, we hard-coded failures in the DB driver to prevent users from doing that as kadmin doesn't know where to put and how to properly fill up objects. However you can use kadmin.local on a pre-existing principal to obtain a new keytab. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA + OpenAFS
On 11/07/2012 3:10 PM, Dan Scott wrote: Hi, On Wed, Jul 11, 2012 at 3:04 PM, Qing Chang wrote: I agree with you that OpenAFS should implement better enctype. I'll raise it on their list. In the mean time, this is a block, do you have an estimate how long it takes to have the addition of v4 get into RHEL 6.3? I am asking because we are moving from LDAP+Kerberos+Smaba+Kerberized NFSv4 to IPA+OpenAFS to our new infrastructure by end of July. Is it really a block? I run IPA with OpenAFS. I used the kadmin utility to extract the keytab (I think - this was quite a while ago). The ipa-getkeytab utility is nice, but not required. Or am I missing something? Because the integration of Kerberos in IPA, Kerberos tools can be used only in limited situations, when creating afs/DOMAIN@REALM with kadmin, I got this error: add_principal: Kerberos database constraints violated while creating "afs/DOMAIN@REALM" There is another issue, by convention OpenAFS service principal is created as afs/DOMAIN@REALM. IPA does not support creating a service principal without first having a corresponding host principal, eg, afs/FQDN@REALM. Is it possible to add the flexibility in IPA to create an arbitrary service principal, which can be done with a standalone Kerberos KDC? Again, you don't have to use the IPA tools. You can use the Kerberos server tools. Dan On 11/07/2012 2:24 PM, Simo Sorce wrote: On Wed, 2012-07-11 at 10:19 -0400, Qing Chang wrote: I think I do have it configured already: = krbSupportedEncSaltTypes: aes256-cts:normal krbSupportedEncSaltTypes: aes256-cts:special krbSupportedEncSaltTypes: aes128-cts:normal krbSupportedEncSaltTypes: aes128-cts:special krbSupportedEncSaltTypes: des3-hmac-sha1:normal krbSupportedEncSaltTypes: des3-hmac-sha1:special krbSupportedEncSaltTypes: arcfour-hmac:normal krbSupportedEncSaltTypes: arcfour-hmac:special krbSupportedEncSaltTypes: des-hmac-sha1:normal krbSupportedEncSaltTypes: des-cbc-md5:normal krbSupportedEncSaltTypes: des-cbc-crc:normal krbSupportedEncSaltTypes: des-cbc-crc:v4 krbSupportedEncSaltTypes: des-cbc-crc:afs3 krbDefaultEncSaltTypes: aes256-cts:special krbDefaultEncSaltTypes: aes128-cts:special krbDefaultEncSaltTypes: des3-hmac-sha1:special krbDefaultEncSaltTypes: arcfour-hmac:special = As I mentioned, I can create keytabs with des-cbc-crc:normal and des-cbc-crc:afs3, but not with des-cbc-crc:v4, which is what OpenAFS uses. Qing On 11/07/2012 8:28 AM, Simo Sorce wrote: On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote: please forgive me if this is a question that has been answered somewhere already. I am almost finished setting up my first OpenAFS cell using IPA's KDC for authentication but stumble on this error: [root@smb1 ~]# fs setacl /afs system:anyuser rl fs: You don't have the required access rights on '/afs' A thread on OpenAFS mailing list suggests that it is because I have wrong salt with my afs service key. The right one should be "des-cbc-crc:v4", but following fails when I tried to cretae the keytab file: [root@smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p afs/openafs.sri.utoronto...@sri.utoronto.ca --keytab /etc/afs.keytab -e des-cbc-crc:v4 -P New Principal Password: Verify Principal Password: Bad or unsupported salt type (1)! Failed to create key material OK, I just checkjed the code and found out that we do not support creating keys with the 'v4' salt type in the ipa code. I am not sure why I skipped that salt type when I coded it up. Probably because it is basically obsolete (and amounts to unsalted keys) and the only thing that still uses it is AFS which uses DES that is also a completely deprecated and insecure algorithm these days. Unfortunately it is not something that can be changed via some parameter, if this is really needed I can only suggest opening a ticket in freeipa trac instance. But can't AFS use some decent crypto these days, like AES ? Simo. -- -- Qing Chang Senior Systems Administrator M6-624 Research Computing Sunnybrook Health Sciences Centre 2075 Bayview Ave. Toronto, Ontario, M4N 3M5 (416) 480-6100 x3263 qch...@sri.utoronto.ca -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- -- Qing Chang Senior Systems Administrator M6-624 Research Computing Sunnybrook Health Sciences Centre 2075 Bayview Ave. Toronto, Ontario, M4N 3M5 (416) 480-6100 x3263 qch...@sri.utoronto.ca -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA + OpenAFS
On Wed, 2012-07-11 at 15:10 -0400, Dan Scott wrote: > Hi, > > On Wed, Jul 11, 2012 at 3:04 PM, Qing Chang wrote: > > I agree with you that OpenAFS should implement better enctype. I'll raise it > > on their list. In the mean time, this is a block, do you have an estimate > > how > > long it takes to have the addition of v4 get into RHEL 6.3? I am asking > > because > > we are moving from LDAP+Kerberos+Smaba+Kerberized NFSv4 to IPA+OpenAFS > > to our new infrastructure by end of July. > > Is it really a block? I run IPA with OpenAFS. I used the kadmin > utility to extract the keytab (I think - this was quite a while ago). > The ipa-getkeytab utility is nice, but not required. Or am I missing > something? > > > There is another issue, by convention OpenAFS service principal is created > > as > > afs/DOMAIN@REALM. IPA does not support creating a service principal without > > first having a corresponding host principal, eg, afs/FQDN@REALM. Is it > > possible > > to add the flexibility in IPA to create an arbitrary service principal, > > which can be > > done with a standalone Kerberos KDC? you can use the --force flag to force the creation of an arbitrary service principal. > Again, you don't have to use the IPA tools. You can use the Kerberos > server tools. Using kadmin.local is really not recommended with IPA normally, but maybe it can be used as a temporary workaround in this case. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA + OpenAFS
Hi, On Wed, Jul 11, 2012 at 3:04 PM, Qing Chang wrote: > I agree with you that OpenAFS should implement better enctype. I'll raise it > on their list. In the mean time, this is a block, do you have an estimate > how > long it takes to have the addition of v4 get into RHEL 6.3? I am asking > because > we are moving from LDAP+Kerberos+Smaba+Kerberized NFSv4 to IPA+OpenAFS > to our new infrastructure by end of July. Is it really a block? I run IPA with OpenAFS. I used the kadmin utility to extract the keytab (I think - this was quite a while ago). The ipa-getkeytab utility is nice, but not required. Or am I missing something? > There is another issue, by convention OpenAFS service principal is created > as > afs/DOMAIN@REALM. IPA does not support creating a service principal without > first having a corresponding host principal, eg, afs/FQDN@REALM. Is it > possible > to add the flexibility in IPA to create an arbitrary service principal, > which can be > done with a standalone Kerberos KDC? Again, you don't have to use the IPA tools. You can use the Kerberos server tools. Dan > On 11/07/2012 2:24 PM, Simo Sorce wrote: >> >> On Wed, 2012-07-11 at 10:19 -0400, Qing Chang wrote: >>> >>> I think I do have it configured already: >>> = >>> krbSupportedEncSaltTypes: aes256-cts:normal >>> krbSupportedEncSaltTypes: aes256-cts:special >>> krbSupportedEncSaltTypes: aes128-cts:normal >>> krbSupportedEncSaltTypes: aes128-cts:special >>> krbSupportedEncSaltTypes: des3-hmac-sha1:normal >>> krbSupportedEncSaltTypes: des3-hmac-sha1:special >>> krbSupportedEncSaltTypes: arcfour-hmac:normal >>> krbSupportedEncSaltTypes: arcfour-hmac:special >>> krbSupportedEncSaltTypes: des-hmac-sha1:normal >>> krbSupportedEncSaltTypes: des-cbc-md5:normal >>> krbSupportedEncSaltTypes: des-cbc-crc:normal >>> krbSupportedEncSaltTypes: des-cbc-crc:v4 >>> krbSupportedEncSaltTypes: des-cbc-crc:afs3 >>> krbDefaultEncSaltTypes: aes256-cts:special >>> krbDefaultEncSaltTypes: aes128-cts:special >>> krbDefaultEncSaltTypes: des3-hmac-sha1:special >>> krbDefaultEncSaltTypes: arcfour-hmac:special >>> = >>> >>> As I mentioned, I can create keytabs with des-cbc-crc:normal and >>> des-cbc-crc:afs3, >>> but not with des-cbc-crc:v4, which is what OpenAFS uses. >>> >>> Qing >>> >>> On 11/07/2012 8:28 AM, Simo Sorce wrote: On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote: > > please forgive me if this is a question that has been answered > somewhere already. > > I am almost finished setting up my first OpenAFS cell using IPA's KDC > for > authentication but stumble on this error: > > [root@smb1 ~]# fs setacl /afs system:anyuser rl > fs: You don't have the required access rights on '/afs' > > A thread on OpenAFS mailing list suggests that it is because I have > wrong salt > with my afs service key. The right one should be "des-cbc-crc:v4", but > following fails > when I tried to cretae the keytab file: > > [root@smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p > afs/openafs.sri.utoronto...@sri.utoronto.ca --keytab /etc/afs.keytab -e > des-cbc-crc:v4 -P > New Principal Password: > Verify Principal Password: > Bad or unsupported salt type (1)! > Failed to create key material >> >> OK, I just checkjed the code and found out that we do not support >> creating keys with the 'v4' salt type in the ipa code. >> >> I am not sure why I skipped that salt type when I coded it up. >> Probably because it is basically obsolete (and amounts to unsalted keys) >> and the only thing that still uses it is AFS which uses DES that is also >> a completely deprecated and insecure algorithm these days. >> >> Unfortunately it is not something that can be changed via some >> parameter, if this is really needed I can only suggest opening a ticket >> in freeipa trac instance. >> >> But can't AFS use some decent crypto these days, like AES ? >> >> Simo. >> >> > > -- > -- > Qing Chang > Senior Systems Administrator > M6-624 Research Computing > Sunnybrook Health Sciences Centre > 2075 Bayview Ave. > Toronto, Ontario, M4N 3M5 > (416) 480-6100 x3263 > qch...@sri.utoronto.ca > -- > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA + OpenAFS
I agree with you that OpenAFS should implement better enctype. I'll raise it on their list. In the mean time, this is a block, do you have an estimate how long it takes to have the addition of v4 get into RHEL 6.3? I am asking because we are moving from LDAP+Kerberos+Smaba+Kerberized NFSv4 to IPA+OpenAFS to our new infrastructure by end of July. There is another issue, by convention OpenAFS service principal is created as afs/DOMAIN@REALM. IPA does not support creating a service principal without first having a corresponding host principal, eg, afs/FQDN@REALM. Is it possible to add the flexibility in IPA to create an arbitrary service principal, which can be done with a standalone Kerberos KDC? I'll try to open a ticket for v4. Many thanks, Qing On 11/07/2012 2:24 PM, Simo Sorce wrote: On Wed, 2012-07-11 at 10:19 -0400, Qing Chang wrote: I think I do have it configured already: = krbSupportedEncSaltTypes: aes256-cts:normal krbSupportedEncSaltTypes: aes256-cts:special krbSupportedEncSaltTypes: aes128-cts:normal krbSupportedEncSaltTypes: aes128-cts:special krbSupportedEncSaltTypes: des3-hmac-sha1:normal krbSupportedEncSaltTypes: des3-hmac-sha1:special krbSupportedEncSaltTypes: arcfour-hmac:normal krbSupportedEncSaltTypes: arcfour-hmac:special krbSupportedEncSaltTypes: des-hmac-sha1:normal krbSupportedEncSaltTypes: des-cbc-md5:normal krbSupportedEncSaltTypes: des-cbc-crc:normal krbSupportedEncSaltTypes: des-cbc-crc:v4 krbSupportedEncSaltTypes: des-cbc-crc:afs3 krbDefaultEncSaltTypes: aes256-cts:special krbDefaultEncSaltTypes: aes128-cts:special krbDefaultEncSaltTypes: des3-hmac-sha1:special krbDefaultEncSaltTypes: arcfour-hmac:special = As I mentioned, I can create keytabs with des-cbc-crc:normal and des-cbc-crc:afs3, but not with des-cbc-crc:v4, which is what OpenAFS uses. Qing On 11/07/2012 8:28 AM, Simo Sorce wrote: On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote: please forgive me if this is a question that has been answered somewhere already. I am almost finished setting up my first OpenAFS cell using IPA's KDC for authentication but stumble on this error: [root@smb1 ~]# fs setacl /afs system:anyuser rl fs: You don't have the required access rights on '/afs' A thread on OpenAFS mailing list suggests that it is because I have wrong salt with my afs service key. The right one should be "des-cbc-crc:v4", but following fails when I tried to cretae the keytab file: [root@smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p afs/openafs.sri.utoronto...@sri.utoronto.ca --keytab /etc/afs.keytab -e des-cbc-crc:v4 -P New Principal Password: Verify Principal Password: Bad or unsupported salt type (1)! Failed to create key material OK, I just checkjed the code and found out that we do not support creating keys with the 'v4' salt type in the ipa code. I am not sure why I skipped that salt type when I coded it up. Probably because it is basically obsolete (and amounts to unsalted keys) and the only thing that still uses it is AFS which uses DES that is also a completely deprecated and insecure algorithm these days. Unfortunately it is not something that can be changed via some parameter, if this is really needed I can only suggest opening a ticket in freeipa trac instance. But can't AFS use some decent crypto these days, like AES ? Simo. -- -- Qing Chang Senior Systems Administrator M6-624 Research Computing Sunnybrook Health Sciences Centre 2075 Bayview Ave. Toronto, Ontario, M4N 3M5 (416) 480-6100 x3263 qch...@sri.utoronto.ca -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA + OpenAFS
On Wed, 2012-07-11 at 10:19 -0400, Qing Chang wrote: > I think I do have it configured already: > = > krbSupportedEncSaltTypes: aes256-cts:normal > krbSupportedEncSaltTypes: aes256-cts:special > krbSupportedEncSaltTypes: aes128-cts:normal > krbSupportedEncSaltTypes: aes128-cts:special > krbSupportedEncSaltTypes: des3-hmac-sha1:normal > krbSupportedEncSaltTypes: des3-hmac-sha1:special > krbSupportedEncSaltTypes: arcfour-hmac:normal > krbSupportedEncSaltTypes: arcfour-hmac:special > krbSupportedEncSaltTypes: des-hmac-sha1:normal > krbSupportedEncSaltTypes: des-cbc-md5:normal > krbSupportedEncSaltTypes: des-cbc-crc:normal > krbSupportedEncSaltTypes: des-cbc-crc:v4 > krbSupportedEncSaltTypes: des-cbc-crc:afs3 > krbDefaultEncSaltTypes: aes256-cts:special > krbDefaultEncSaltTypes: aes128-cts:special > krbDefaultEncSaltTypes: des3-hmac-sha1:special > krbDefaultEncSaltTypes: arcfour-hmac:special > = > > As I mentioned, I can create keytabs with des-cbc-crc:normal and > des-cbc-crc:afs3, > but not with des-cbc-crc:v4, which is what OpenAFS uses. > > Qing > > On 11/07/2012 8:28 AM, Simo Sorce wrote: > > On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote: > >> please forgive me if this is a question that has been answered somewhere > >> already. > >> > >> I am almost finished setting up my first OpenAFS cell using IPA's KDC for > >> authentication but stumble on this error: > >> > >> [root@smb1 ~]# fs setacl /afs system:anyuser rl > >> fs: You don't have the required access rights on '/afs' > >> > >> A thread on OpenAFS mailing list suggests that it is because I have wrong > >> salt > >> with my afs service key. The right one should be "des-cbc-crc:v4", but > >> following fails > >> when I tried to cretae the keytab file: > >> > >> [root@smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p > >> afs/openafs.sri.utoronto...@sri.utoronto.ca --keytab /etc/afs.keytab -e > >> des-cbc-crc:v4 -P > >> New Principal Password: > >> Verify Principal Password: > >> Bad or unsupported salt type (1)! > >> Failed to create key material OK, I just checkjed the code and found out that we do not support creating keys with the 'v4' salt type in the ipa code. I am not sure why I skipped that salt type when I coded it up. Probably because it is basically obsolete (and amounts to unsalted keys) and the only thing that still uses it is AFS which uses DES that is also a completely deprecated and insecure algorithm these days. Unfortunately it is not something that can be changed via some parameter, if this is really needed I can only suggest opening a ticket in freeipa trac instance. But can't AFS use some decent crypto these days, like AES ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA + OpenAFS
On 07/11/2012 10:19 AM, Qing Chang wrote: > I think I do have it configured already: > = > krbSupportedEncSaltTypes: aes256-cts:normal > krbSupportedEncSaltTypes: aes256-cts:special > krbSupportedEncSaltTypes: aes128-cts:normal > krbSupportedEncSaltTypes: aes128-cts:special > krbSupportedEncSaltTypes: des3-hmac-sha1:normal > krbSupportedEncSaltTypes: des3-hmac-sha1:special > krbSupportedEncSaltTypes: arcfour-hmac:normal > krbSupportedEncSaltTypes: arcfour-hmac:special > krbSupportedEncSaltTypes: des-hmac-sha1:normal > krbSupportedEncSaltTypes: des-cbc-md5:normal > krbSupportedEncSaltTypes: des-cbc-crc:normal > krbSupportedEncSaltTypes: des-cbc-crc:v4 > krbSupportedEncSaltTypes: des-cbc-crc:afs3 > krbDefaultEncSaltTypes: aes256-cts:special > krbDefaultEncSaltTypes: aes128-cts:special > krbDefaultEncSaltTypes: des3-hmac-sha1:special > krbDefaultEncSaltTypes: arcfour-hmac:special > = > > As I mentioned, I can create keytabs with des-cbc-crc:normal and > des-cbc-crc:afs3, > but not with des-cbc-crc:v4, which is what OpenAFS uses. Is there anything in the Kerberos logs on the server? > > Qing > > On 11/07/2012 8:28 AM, Simo Sorce wrote: >> On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote: >>> please forgive me if this is a question that has been answered >>> somewhere already. >>> >>> I am almost finished setting up my first OpenAFS cell using IPA's >>> KDC for >>> authentication but stumble on this error: >>> >>> [root@smb1 ~]# fs setacl /afs system:anyuser rl >>> fs: You don't have the required access rights on '/afs' >>> >>> A thread on OpenAFS mailing list suggests that it is because I have >>> wrong salt >>> with my afs service key. The right one should be "des-cbc-crc:v4", >>> but following fails >>> when I tried to cretae the keytab file: >>> >>> [root@smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p >>> afs/openafs.sri.utoronto...@sri.utoronto.ca --keytab /etc/afs.keytab >>> -e des-cbc-crc:v4 -P >>> New Principal Password: >>> Verify Principal Password: >>> Bad or unsupported salt type (1)! >>> Failed to create key material >>> >>> >>> My IPA server kdc.conf file has this: >>> supported_enctypes = aes256-cts:normal aes128-cts:normal >>> des3-hmac-sha1:normal arcfour-hmac:normal >>> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal >>> des-cbc-crc:v4 des-cbc-crc:afs3 >>> >>> And the krb5.conf file on both IPA server and OpenAFS server has this: >>> allow_weak_crypto = true >>> >>> Why does ipa-getkeytab fail here. Using both des-cbc-crc:normal and >>> des-cbc-crc:afs3 works, but OpenAFS >>> does not like them. >> You need to change the supported enc types in LDAP for ipa to care. >> these attributes are in the cn=REALM_NAME,cn=kerberos,$suffix entry in >> ldap. >> >> Simo. >> > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA + OpenAFS
I think I do have it configured already: = krbSupportedEncSaltTypes: aes256-cts:normal krbSupportedEncSaltTypes: aes256-cts:special krbSupportedEncSaltTypes: aes128-cts:normal krbSupportedEncSaltTypes: aes128-cts:special krbSupportedEncSaltTypes: des3-hmac-sha1:normal krbSupportedEncSaltTypes: des3-hmac-sha1:special krbSupportedEncSaltTypes: arcfour-hmac:normal krbSupportedEncSaltTypes: arcfour-hmac:special krbSupportedEncSaltTypes: des-hmac-sha1:normal krbSupportedEncSaltTypes: des-cbc-md5:normal krbSupportedEncSaltTypes: des-cbc-crc:normal krbSupportedEncSaltTypes: des-cbc-crc:v4 krbSupportedEncSaltTypes: des-cbc-crc:afs3 krbDefaultEncSaltTypes: aes256-cts:special krbDefaultEncSaltTypes: aes128-cts:special krbDefaultEncSaltTypes: des3-hmac-sha1:special krbDefaultEncSaltTypes: arcfour-hmac:special = As I mentioned, I can create keytabs with des-cbc-crc:normal and des-cbc-crc:afs3, but not with des-cbc-crc:v4, which is what OpenAFS uses. Qing On 11/07/2012 8:28 AM, Simo Sorce wrote: On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote: please forgive me if this is a question that has been answered somewhere already. I am almost finished setting up my first OpenAFS cell using IPA's KDC for authentication but stumble on this error: [root@smb1 ~]# fs setacl /afs system:anyuser rl fs: You don't have the required access rights on '/afs' A thread on OpenAFS mailing list suggests that it is because I have wrong salt with my afs service key. The right one should be "des-cbc-crc:v4", but following fails when I tried to cretae the keytab file: [root@smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p afs/openafs.sri.utoronto...@sri.utoronto.ca --keytab /etc/afs.keytab -e des-cbc-crc:v4 -P New Principal Password: Verify Principal Password: Bad or unsupported salt type (1)! Failed to create key material My IPA server kdc.conf file has this: supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 And the krb5.conf file on both IPA server and OpenAFS server has this: allow_weak_crypto = true Why does ipa-getkeytab fail here. Using both des-cbc-crc:normal and des-cbc-crc:afs3 works, but OpenAFS does not like them. You need to change the supported enc types in LDAP for ipa to care. these attributes are in the cn=REALM_NAME,cn=kerberos,$suffix entry in ldap. Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA + OpenAFS
On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote: > please forgive me if this is a question that has been answered somewhere > already. > > I am almost finished setting up my first OpenAFS cell using IPA's KDC for > authentication but stumble on this error: > > [root@smb1 ~]# fs setacl /afs system:anyuser rl > fs: You don't have the required access rights on '/afs' > > A thread on OpenAFS mailing list suggests that it is because I have wrong salt > with my afs service key. The right one should be "des-cbc-crc:v4", but > following fails > when I tried to cretae the keytab file: > > [root@smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p > afs/openafs.sri.utoronto...@sri.utoronto.ca --keytab /etc/afs.keytab -e > des-cbc-crc:v4 -P > New Principal Password: > Verify Principal Password: > Bad or unsupported salt type (1)! > Failed to create key material > > > My IPA server kdc.conf file has this: > supported_enctypes = aes256-cts:normal aes128-cts:normal > des3-hmac-sha1:normal arcfour-hmac:normal > des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 > des-cbc-crc:afs3 > > And the krb5.conf file on both IPA server and OpenAFS server has this: > allow_weak_crypto = true > > Why does ipa-getkeytab fail here. Using both des-cbc-crc:normal and > des-cbc-crc:afs3 works, but OpenAFS > does not like them. You need to change the supported enc types in LDAP for ipa to care. these attributes are in the cn=REALM_NAME,cn=kerberos,$suffix entry in ldap. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users