On Wed, 2012-07-11 at 10:19 -0400, Qing Chang wrote: > I think I do have it configured already: > ===== > krbSupportedEncSaltTypes: aes256-cts:normal > krbSupportedEncSaltTypes: aes256-cts:special > krbSupportedEncSaltTypes: aes128-cts:normal > krbSupportedEncSaltTypes: aes128-cts:special > krbSupportedEncSaltTypes: des3-hmac-sha1:normal > krbSupportedEncSaltTypes: des3-hmac-sha1:special > krbSupportedEncSaltTypes: arcfour-hmac:normal > krbSupportedEncSaltTypes: arcfour-hmac:special > krbSupportedEncSaltTypes: des-hmac-sha1:normal > krbSupportedEncSaltTypes: des-cbc-md5:normal > krbSupportedEncSaltTypes: des-cbc-crc:normal > krbSupportedEncSaltTypes: des-cbc-crc:v4 > krbSupportedEncSaltTypes: des-cbc-crc:afs3 > krbDefaultEncSaltTypes: aes256-cts:special > krbDefaultEncSaltTypes: aes128-cts:special > krbDefaultEncSaltTypes: des3-hmac-sha1:special > krbDefaultEncSaltTypes: arcfour-hmac:special > ===== > > As I mentioned, I can create keytabs with des-cbc-crc:normal and > des-cbc-crc:afs3, > but not with des-cbc-crc:v4, which is what OpenAFS uses. > > Qing > > On 11/07/2012 8:28 AM, Simo Sorce wrote: > > On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote: > >> please forgive me if this is a question that has been answered somewhere > >> already. > >> > >> I am almost finished setting up my first OpenAFS cell using IPA's KDC for > >> authentication but stumble on this error: > >> > >> [root@smb1 ~]# fs setacl /afs system:anyuser rl > >> fs: You don't have the required access rights on '/afs' > >> > >> A thread on OpenAFS mailing list suggests that it is because I have wrong > >> salt > >> with my afs service key. The right one should be "des-cbc-crc:v4", but > >> following fails > >> when I tried to cretae the keytab file: > >> ==== > >> [root@smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p > >> afs/openafs.sri.utoronto...@sri.utoronto.ca --keytab /etc/afs.keytab -e > >> des-cbc-crc:v4 -P > >> New Principal Password: > >> Verify Principal Password: > >> Bad or unsupported salt type (1)! > >> Failed to create key material
OK, I just checkjed the code and found out that we do not support creating keys with the 'v4' salt type in the ipa code. I am not sure why I skipped that salt type when I coded it up. Probably because it is basically obsolete (and amounts to unsalted keys) and the only thing that still uses it is AFS which uses DES that is also a completely deprecated and insecure algorithm these days. Unfortunately it is not something that can be changed via some parameter, if this is really needed I can only suggest opening a ticket in freeipa trac instance. But can't AFS use some decent crypto these days, like AES ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
