On 07/11/2012 10:19 AM, Qing Chang wrote: > I think I do have it configured already: > ===== > krbSupportedEncSaltTypes: aes256-cts:normal > krbSupportedEncSaltTypes: aes256-cts:special > krbSupportedEncSaltTypes: aes128-cts:normal > krbSupportedEncSaltTypes: aes128-cts:special > krbSupportedEncSaltTypes: des3-hmac-sha1:normal > krbSupportedEncSaltTypes: des3-hmac-sha1:special > krbSupportedEncSaltTypes: arcfour-hmac:normal > krbSupportedEncSaltTypes: arcfour-hmac:special > krbSupportedEncSaltTypes: des-hmac-sha1:normal > krbSupportedEncSaltTypes: des-cbc-md5:normal > krbSupportedEncSaltTypes: des-cbc-crc:normal > krbSupportedEncSaltTypes: des-cbc-crc:v4 > krbSupportedEncSaltTypes: des-cbc-crc:afs3 > krbDefaultEncSaltTypes: aes256-cts:special > krbDefaultEncSaltTypes: aes128-cts:special > krbDefaultEncSaltTypes: des3-hmac-sha1:special > krbDefaultEncSaltTypes: arcfour-hmac:special > ===== > > As I mentioned, I can create keytabs with des-cbc-crc:normal and > des-cbc-crc:afs3, > but not with des-cbc-crc:v4, which is what OpenAFS uses.
Is there anything in the Kerberos logs on the server? > > Qing > > On 11/07/2012 8:28 AM, Simo Sorce wrote: >> On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote: >>> please forgive me if this is a question that has been answered >>> somewhere already. >>> >>> I am almost finished setting up my first OpenAFS cell using IPA's >>> KDC for >>> authentication but stumble on this error: >>> >>> [root@smb1 ~]# fs setacl /afs system:anyuser rl >>> fs: You don't have the required access rights on '/afs' >>> >>> A thread on OpenAFS mailing list suggests that it is because I have >>> wrong salt >>> with my afs service key. The right one should be "des-cbc-crc:v4", >>> but following fails >>> when I tried to cretae the keytab file: >>> ==== >>> [root@smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p >>> afs/openafs.sri.utoronto...@sri.utoronto.ca --keytab /etc/afs.keytab >>> -e des-cbc-crc:v4 -P >>> New Principal Password: >>> Verify Principal Password: >>> Bad or unsupported salt type (1)! >>> Failed to create key material >>> ==== >>> >>> My IPA server kdc.conf file has this: >>> supported_enctypes = aes256-cts:normal aes128-cts:normal >>> des3-hmac-sha1:normal arcfour-hmac:normal >>> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal >>> des-cbc-crc:v4 des-cbc-crc:afs3 >>> >>> And the krb5.conf file on both IPA server and OpenAFS server has this: >>> allow_weak_crypto = true >>> >>> Why does ipa-getkeytab fail here. Using both des-cbc-crc:normal and >>> des-cbc-crc:afs3 works, but OpenAFS >>> does not like them. >> You need to change the supported enc types in LDAP for ipa to care. >> these attributes are in the cn=REALM_NAME,cn=kerberos,$suffix entry in >> ldap. >> >> Simo. >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users