[OpenAFS] Problem getting AFS tokens on debian...

Jan Pospisil honik@kma.zcu.cz
Mon, 18 Jan 2010 17:53:29 +0100 (CET)


On Mon, 18 Jan 2010, at 09:58 -0500, Derrick Brashear wrote:

> they're just standard krb5 errors.
>
> #define KRB5_CC_NOT_KTYPE                        (-1765328184L)
> #define KRB5KDC_ERR_ETYPE_NOSUPP                 (-1765328370L)

So there is some incompatibility in the encryption of the keys?
But how can I find out what is the problem?

On Mon, 18 Jan 2010, at 15:37 -0000, Simon Wilkinson wrote:

> MIT Kerberos 1.8 disables DES by default.
> You can reenable it by setting allow_weak_enctypes in your krb5.conf.

In my krb5.conf I have (among others):

[libdefaults]
default_realm = ZCU.CZ
default_tgs_enctypes = aes256-cts des3-hmac-sha1 des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tkt_enctypes = aes256-cts des3-hmac-sha1 des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts des3-hmac-sha1 des3-cbc-sha1 des-cbc-md5 des-cbc-crc

ticket_lifetime = 0d 8h 0m 0s
renew_lifetime = 15d 0h 0m 0s
forwardable = yes
proxiable = no
noaddresses = no

dns_lookup_kdc = no
dns_lookup_realm = no
dns_fallback = no

default_etypes = des3-hmac-sha1 des-cbc-md5 des-cbc-crc
v4_instance_resolve = yes
forward = yes
encrypt = yes
krb4_get_tickets = no


[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
renewable = true

krb4_get_tickets = false
krb4_convert = false

krb5_run_aklog = true
krb5_aklog_path = /usr/bin/aklog

retain_ccache = false
afs_retain_token = false
check_quota = false

kinit = {
    forwardable = yes
    proxiable = no
    no-address = no
}

telnet = {
    forward = true
    autologin = true
    encrypt = true
}



Adding the line
allow_weak_enctypes = yes
to the [libdefaults] section (is this the right syntax/place?)
unfortunately does not help.


> what key type is the AFS key?

I'm afraid I don't know how to find out, probably DES:
On a working machine I have:

$ klist -fe
Ticket cache: FILE:/tmp/krb5cc_6141_nqsUDa
Default principal: honik@ZCU.CZ

Valid starting     Expires            Service principal
01/18/10 17:42:42  01/19/10 01:42:42  krbtgt/ZCU.CZ@ZCU.CZ
         renew until 02/02/10 17:42:42, Flags: FRIA
         Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, Triple DES 
cbc mode with HMAC/sha1
01/18/10 17:42:43  01/19/10 01:42:42  afs/zcu.cz@ZCU.CZ
         renew until 01/25/10 17:42:43, Flags: FRAT
         Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32

Jan

--
Jan Pospisil, Ph.D.           e-mail: honik@kma.zcu.cz
University of West Bohemia    phone:  (+420) 37763-2675
Department of Mathematics     fax:    (+420) 37763-2602
Plzen, Czech Republic         address: Univerzitni 22, 306 14