[OpenAFS] Re: IPA + OpenAFS

Qing Chang qchang@sri.utoronto.ca
Thu, 12 Jul 2012 15:39:05 -0400 

This is a multi-part message in MIME format.
--------------070906060200060008050608
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit



On 12/07/2012 3:25 PM, Andrew Deason wrote:
> On Thu, 12 Jul 2012 11:16:55 -0400
> Qing Chang<qchang@sri.utoronto.ca>  wrote:
>
>> which says that I have to create a keyfile with des-cbc-crc:v4 salt,
>> after some struggle with IPA I finally created the keyfile with
>> des-cbc-crc:v4.  It did not help, I still get the same error.
> Did you just extract a keytab, or did you also add the key to the
> KeyFile using 'asetkey'? This is described on the page 'Initializing
> Cell Security' around step 7:
> <http://docs.openafs.org/QuickStartUnix/ch02s14.html>.
I did use asetkey to add the key with thr right vno to KeyFile. But I was
wrong in assuming that I got a keytab with salt:
=====
kadmin.local:   ktadd -e des-cbc-crc:v4 -k /tmp/openafs afs/openafs.sri.utoronto.ca
Entry for principal afs/openafs.sri.utoronto.ca with kvno 20, encryption type des-cbc-crc added to 
keytab WRFILE:/tmp/openafs.
kadmin.local:  getprinc afs/openafs.sri.utoronto.ca
Principal: afs/openafs.sri.utoronto.ca@SRI.UTORONTO.CA
Expiration date: [never]
Last password change: Thu Jul 12 15:08:16 EDT 2012
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Jul 12 15:08:16 EDT 2012 (admin/admin@SRI.UTORONTO.CA)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 20, des-cbc-crc, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
=====

I am asking a solution on FreeIPA list to create a keytab with salt for cbc, in the
mean time, does anyone know definitively if the keytab has to phave salt?

Thanks,
Qing

> If you did actually create a KeyFile, you need to restart the server
> processes for it to take effect. (Or 'touch' the server-side CellServDB
> file.) You can run 'bos listkeys<server>  -local' to show what keys the
> server thinks it has (don't show this output to the list). You should
> have at least one key listed if everything is set up correctly.
>

--------------070906060200060008050608
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <br>
    <br>
    On 12/07/2012 3:25 PM, Andrew Deason wrote:
    <blockquote
      cite="mid:20120712142552.cfa26fa4.adeason@sinenomine.net"
      type="cite">
      <pre wrap="">On Thu, 12 Jul 2012 11:16:55 -0400
Qing Chang <a class="moz-txt-link-rfc2396E" href="mailto:qchang@sri.utoronto.ca">&lt;qchang@sri.utoronto.ca&gt;</a> wrote:

</pre>
      <blockquote type="cite">
        <pre wrap="">which says that I have to create a keyfile with des-cbc-crc:v4 salt,
after some struggle with IPA I finally created the keyfile with
des-cbc-crc:v4.  It did not help, I still get the same error.
</pre>
      </blockquote>
      <pre wrap="">
Did you just extract a keytab, or did you also add the key to the
KeyFile using 'asetkey'? This is described on the page 'Initializing
Cell Security' around step 7:
<a class="moz-txt-link-rfc2396E" href="http://docs.openafs.org/QuickStartUnix/ch02s14.html">&lt;http://docs.openafs.org/QuickStartUnix/ch02s14.html&gt;</a>.
</pre>
    </blockquote>
    I did use asetkey to add the key with thr right vno to KeyFile. But
    I was <br>
    wrong in assuming that I got a keytab with salt:<br>
    =====<br>
    kadmin.local:&nbsp;&nbsp; ktadd -e des-cbc-crc:v4 -k /tmp/openafs
    afs/openafs.sri.utoronto.ca<br>
    Entry for principal afs/openafs.sri.utoronto.ca with kvno 20,
    encryption type des-cbc-crc added to keytab WRFILE:/tmp/openafs.<br>
    kadmin.local:&nbsp; getprinc afs/openafs.sri.utoronto.ca<br>
    Principal: <a class="moz-txt-link-abbreviated" href="mailto:afs/openafs.sri.utoronto.ca@SRI.UTORONTO.CA">afs/openafs.sri.utoronto.ca@SRI.UTORONTO.CA</a><br>
    Expiration date: [never]<br>
    Last password change: Thu Jul 12 15:08:16 EDT 2012<br>
    Password expiration date: [none]<br>
    Maximum ticket life: 1 day 00:00:00<br>
    Maximum renewable life: 7 days 00:00:00<br>
    Last modified: Thu Jul 12 15:08:16 EDT 2012
    (<a class="moz-txt-link-abbreviated" href="mailto:admin/admin@SRI.UTORONTO.CA">admin/admin@SRI.UTORONTO.CA</a>)<br>
    Last successful authentication: [never]<br>
    Last failed authentication: [never]<br>
    Failed password attempts: 0<br>
    Number of keys: 1<br>
    <font color="#ff0000">Key: vno 20, des-cbc-crc, no salt</font><br>
    MKey: vno 1<br>
    Attributes: REQUIRES_PRE_AUTH<br>
    Policy: [none]<br>
    =====<br>
    <br>
    I am asking a solution on FreeIPA list to create a keytab with salt
    for cbc, in the<br>
    mean time, does anyone know definitively if the keytab has to phave
    salt?<br>
    <br>
    Thanks,<br>
    Qing<br>
    <br>
    <blockquote
      cite="mid:20120712142552.cfa26fa4.adeason@sinenomine.net"
      type="cite">
      <pre wrap="">
If you did actually create a KeyFile, you need to restart the server
processes for it to take effect. (Or 'touch' the server-side CellServDB
file.) You can run 'bos listkeys &lt;server&gt; -local' to show what keys the
server thinks it has (don't show this output to the list). You should
have at least one key listed if everything is set up correctly.

</pre>
    </blockquote>
  </body>
</html>

--------------070906060200060008050608--