On 11/17/2014 07:59 AM, Andreas Ladanyi wrote:
Hi,

I set up the 389 LDAP server to support des-cbc-crc enctype.

I created a principal for OpenAFS. OpenAFS need des-cbc-crc:v4
(single-DES). I created the principal with:

kadmin.local -x ipa-setup-override-restrictions
Please don't do this, use the ipa service-add and ipa-getkeytab
commands instead.
I cant use ipa service-add, because for OpenAFS i need a service
principal called:

afs/cellname@REALM , the cellname could be any name. In my case the
cellname is the same like the domainname.
[root@cc21 ~]# ipa host-add --force afs-cellname.ipacloud.test
---------------------------------------
Added host "afs-cellname.ipacloud.test"
---------------------------------------
  Host name: afs-cellname.ipacloud.test
  Principal name: host/afs-cellname.ipacloud.t...@ipacloud.test
  Password: False
  Keytab: False
  Managed by: afs-cellname.ipacloud.test
[root@cc21 ~]# ipa service-add --force afs/afs-cellname
----------------------------------------------
Added service "afs/afs-celln...@ipacloud.test"
----------------------------------------------
  Principal: afs/afs-celln...@ipacloud.test
  Managed by: afs-cellname.ipacloud.test
[root@cc21 ~]# ipa service-show afs/afs-cellname
  Principal: afs/afs-celln...@ipacloud.test
  Keytab: False
  Managed by: afs-cellname.ipacloud.test
[root@cc21 ~]# ipa-getkeytab -s `hostname` -p afs/afs-cellname   -k
/tmp/afs.keytab Keytab successfully retrieved and stored in:
/tmp/afs.keytab

As you can see there is no problem at all -- all you need is to have a
host entry with the same name as afs-cellname. Note that the host
afs-cellname doesn't even need to exist in DNS.

However, your primary problem would be in a different area. You'll need
to enable weak crypto at KDC server, Kerberos clients, and LDAP servers.

krb5.conf (on both IPA masters and clients):
[libdefaults]
  allow_weak_crypto = true

/var/kerberos/krb5kdc/kdc.conf (on IPA masters):
[realms]
IPACLOUD.TEST = {
   supported_enctypes = aes256-cts-hmac-sha1-96:normal
aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal
arcfour-hmac-md5:normal des-cbc-crc:v4
}

Finally, you need to modify
cn=IPACLOUD.TEST,cn=kerberos,dc=ipacloud,dc=test
and add des-cbc-crc:v4 to supported Kerberos encryption types with
krbSupportedEncSaltTypes
attribute. You have to use ldapmodify as cn=Directory Manager for that
as we don't allow admins to modify these entries directly.

A simplified approach would be to use ipa-ldap-updater with your own
update file (which should have a name like <number>-<name>.update where
<number> is something between 01 and 90):

[root@cc21 ~]# cat 20-weak-enctypes.update dn:
cn=$REALM,cn=kerberos,$SUFFIX
add: krbSupportedEncSaltTypes: des-cbc-crc:v4

[root@cc21 ~]# ipa-ldap-updater ./20-weak-enctypes.update Directory
Manager password:
Parsing update file './20-weak-enctypes.update'
Updating existing entry:
cn=IPACLOUD.TEST,cn=kerberos,dc=ipacloud,dc=test
Done
The ipa-ldap-updater command was successful

Only after that you'll get ipa-getkeytab to generate weaker encryption
type-based keys.
Thats interesting. Now i can receive afs/cellname@REALM service tickets
with des-cbc-crc and aes256 key on the client but only when i execute:

kvno -e des-cbc-crc afs/cellname

If i execute aklog to obtain an afs token from tgt i get a
afs/cellname@REALM service ticket without des-cbc-crc key.

Are they using same krb5.conf?


However, we have a problem in FreeIPA 4.x that an
attempt to force only a specific encryption type in ipa-getkeytab is
ignored and instead only enctypes from krbDefaultEncSaltTypes attribute
are generated. This bug is tracked with
https://fedorahosted.org/freeipa/ticket/4718



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to