> On Tue, 11 Nov 2014 09:28:35 +0100 > Andreas Ladanyi <andreas.lada...@kit.edu> wrote: > >> No the token from aklog doesnt work fine. I could only list the user >> directories (name of the users). I could not enter the user directories. >> I couldnt enter my own directory. The AFS ID of the token is ok and >> matches the owner uid of my user directory. > Okay, that makes more sense; I wouldn't expect that to work, so I was a > little confused. > > So the reason that aklog "works" in that situation is because using the > IPA tool give you an AES key, amongst others. aklog then tries to use > that AES key, which the KDC allows (since it's not "weak" crypto since > it's not DES). But you don't have your cell configured to use AES keys, > so the token doesn't actually work. > > > On Tue, 11 Nov 2014 11:03:51 +0100 > Andreas Ladanyi <andreas.lada...@kit.edu> wrote: > >>> Or change what enctype you request like so: >>> >>> $ kvno -e des-cbc-crc afs/CELL >>> $ kvno -e aes256-hmac-cts afs/cell # this should _not_ work >> kvno -e des-cbc-crc afs/cellname >> kvno: KDC has no support for encryption type while getting credentials >> for afs/cellname@Realm B (the new Realm on FreeIPA) >> >> kvno -e aes256-cts-hmac-sha1-96 afs/cellname >> afs/cellname@Realm B: kvno = 1 > Yes, so you need to resolve that before this will work with the KeyFile > with single DES. I think i solved this issue now:
1.) kinit ........ kvno -e des-cbc-crc afs/CELL afs/cellname@REALM: kvno = 1 klist -e for the afs/cellname service ticket: des-cbc-crc, aes256-cts-hmac-sha1-96 2.) kinit ..... kvno -e aes256-cts afs/CELL results in: afs/cellname@REALM: kvno = 1 klist -e for the afs/cellname service ticket: aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 3.) kinit ....... aklog klist -e shows me a afs service ticket without des-cbc-crc: aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 In none of the above cases the afs service ticket work correctly although In the 1. case i have a des-cbc-crc key. I cant access my user directory in afs. I get a permission denied error. cheers, Andreas
smime.p7s
Description: S/MIME Cryptographic Signature
