On Mon, 17 Nov 2014 13:59:44 +0100 Andreas Ladanyi <[email protected]> wrote:
> > > >>>> Hi, > >>>> > >>>> I set up the 389 LDAP server to support des-cbc-crc enctype. > >>>> > >>>> I created a principal for OpenAFS. OpenAFS need des-cbc-crc:v4 > >>>> (single-DES). I created the principal with: > >>>> > >>>> kadmin.local -x ipa-setup-override-restrictions > >>> Please don't do this, use the ipa service-add and ipa-getkeytab > >>> commands instead. > >> I cant use ipa service-add, because for OpenAFS i need a service > >> principal called: > >> > >> afs/cellname@REALM , the cellname could be any name. In my case the > >> cellname is the same like the domainname. > > [root@cc21 ~]# ipa host-add --force afs-cellname.ipacloud.test > > --------------------------------------- > > Added host "afs-cellname.ipacloud.test" > > --------------------------------------- > > Host name: afs-cellname.ipacloud.test > > Principal name: host/[email protected] > > Password: False > > Keytab: False > > Managed by: afs-cellname.ipacloud.test > > [root@cc21 ~]# ipa service-add --force afs/afs-cellname > > ---------------------------------------------- > > Added service "afs/[email protected]" > > ---------------------------------------------- > > Principal: afs/[email protected] > > Managed by: afs-cellname.ipacloud.test > > [root@cc21 ~]# ipa service-show afs/afs-cellname > > Principal: afs/[email protected] > > Keytab: False > > Managed by: afs-cellname.ipacloud.test > > [root@cc21 ~]# ipa-getkeytab -s `hostname` -p afs/afs-cellname -k > > /tmp/afs.keytab Keytab successfully retrieved and stored in: > > /tmp/afs.keytab > > > > As you can see there is no problem at all -- all you need is to > > have a host entry with the same name as afs-cellname. Note that the > > host afs-cellname doesn't even need to exist in DNS. > > > > However, your primary problem would be in a different area. You'll > > need to enable weak crypto at KDC server, Kerberos clients, and > > LDAP servers. > > > > krb5.conf (on both IPA masters and clients): > > [libdefaults] > > allow_weak_crypto = true > > > > /var/kerberos/krb5kdc/kdc.conf (on IPA masters): > > [realms] > > IPACLOUD.TEST = { > > supported_enctypes = aes256-cts-hmac-sha1-96:normal > > aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal > > arcfour-hmac-md5:normal des-cbc-crc:v4 > > } > > > > Finally, you need to modify > > cn=IPACLOUD.TEST,cn=kerberos,dc=ipacloud,dc=test > > and add des-cbc-crc:v4 to supported Kerberos encryption types with > > krbSupportedEncSaltTypes > > attribute. You have to use ldapmodify as cn=Directory Manager for > > that as we don't allow admins to modify these entries directly. > > > > A simplified approach would be to use ipa-ldap-updater with your own > > update file (which should have a name like <number>-<name>.update > > where <number> is something between 01 and 90): > > > > [root@cc21 ~]# cat 20-weak-enctypes.update dn: > > cn=$REALM,cn=kerberos,$SUFFIX > > add: krbSupportedEncSaltTypes: des-cbc-crc:v4 > > > > [root@cc21 ~]# ipa-ldap-updater ./20-weak-enctypes.update Directory > > Manager password: > > Parsing update file './20-weak-enctypes.update' > > Updating existing entry: > > cn=IPACLOUD.TEST,cn=kerberos,dc=ipacloud,dc=test > > Done > > The ipa-ldap-updater command was successful > > > > Only after that you'll get ipa-getkeytab to generate weaker > > encryption type-based keys. > > Thats interesting. Now i can receive afs/cellname@REALM service > tickets with des-cbc-crc and aes256 key on the client but only when i > execute: > > kvno -e des-cbc-crc afs/cellname > > If i execute aklog to obtain an afs token from tgt i get a > afs/cellname@REALM service ticket without des-cbc-crc key. This is probably because you got all default enctypes in the key, so the KDC is sending you a ticket with the strongest keytype for which it has a shared key with the service. > > However, we have a problem in FreeIPA 4.x that an > > attempt to force only a specific encryption type in ipa-getkeytab is > > ignored and instead only enctypes from krbDefaultEncSaltTypes > > attribute are generated. This bug is tracked with > > https://fedorahosted.org/freeipa/ticket/4718 This is the bug that is causing your last issue ^^ One way around it is to use an older ipa-getkeytab binary (like the one on RHEL 6) that uses the old setkeytab control. We are working on a fix upstream and will land it asap. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
