hi,
a big thanks to those who responded to this one. in-between starting a
new job i managed to sort all this out. basic issue was to remove all
unnecessary enctypes & then bob's your uncle.
cheers, dave
NB in case anybody needs to refer to something more concrete about what
was done, here is the working procedure:
kadmin -p admin/krb
kadmin> add --random-key --use-defaults afs/muse.net.nz
kadmin> del_enctype afs/muse.net.nz des3-cbc-sha1
kadmin> del_enctype afs/muse.net.nz aes256-cts-hmac-sha1-96
kadmin> del_enctype afs/muse.net.nz arcfour-hmac-md5
kadmin> list *afs*
admin/afs
afs/muse.net.nz
host/afsdb.muse.net.nz
kadmin> get afs/[EMAIL PROTECTED]
Principal: afs/[EMAIL PROTECTED]
Principal expires: never
Password expires: never
Last password change: never
Max ticket life: 1 day
Max renewable life: 1 week
Kvno: 1
Mkvno: 0
Last successful login: never
Last failed login: never
Failed login count: 0
Last modified: 2007-03-12 04:28:42 UTC
Modifier: kadmin/[EMAIL PROTECTED]
Attributes:
Keytypes: des-cbc-md5(pw-salt), des-cbc-md4(pw-salt),
des-cbc-crc(pw-salt)
kadmin> ext -k /etc/afskeytabfile.krb5 afs/muse.net.nz
kadmin> quit
[EMAIL PROTECTED]:/ $ ktutil -k /etc/afskeytabfile.krb5 list
/etc/afskeytabfile.krb5:
Vno Type Principal
1 des-cbc-md5 afs/[EMAIL PROTECTED]
1 des-cbc-md4 afs/[EMAIL PROTECTED]
1 des-cbc-crc afs/[EMAIL PROTECTED]
[EMAIL PROTECTED]:/ $ mkdir -p /usr/afs/etc
[EMAIL PROTECTED]:/ $ ln -s /etc/afs/ThisCell /usr/afs/etc/ThisCell
[EMAIL PROTECTED]:/ $ cat /etc/afs/ThisCell
muse.net.nz
[EMAIL PROTECTED]:/ $ ktutil copy FILE:/etc/afskeytabfile.krb5
AFSKEYFILE:/usr/afs/etc/KeyFile
NB i'd be happy to add this to the wiki in future, but i'll wait until
openbsd 4.1 comes out (& we get the openafs port added into -current
again) as there are further kerberos/heimdal changes within apparently
to catch me unawares.
* ted creedon [2007-03-09 07:35:12 -0900]:
Kadmin needs "des-cbc-crc:normal" specifically with the ":normal" suffix.
heimdal desalinates (ok removes the salt) on export. nice!
N.B. scorch is using Heimdal (0.7 or 0.8?), not MIT Kerberos.
I'd suggest deleting the AES and Arcfour enctypes as well. This was
probably not an issue with the version of Heimdal in use three years
ago (no AES support yet), which would explain why those old notes did
not mention it.
"bos listkeys" lists two keys with the same kvno (1). At least one of them
must be wrong.
yes :-) good question how _that_ got in!
the next big task is to figure out how to build openafs with files going
into the "right" place according to openbsd hierarchy. this used to work
as part of the old port, but it's not doing the right thing at present.
a+
dave
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
