[OpenAFS] enctype issues with Heimdal and debian for afs/cell

Gémes Géza geza@kzsdabas.hu
Fri, 19 Jul 2013 13:36:29 +0200


2013-07-19 12:11 keltezéssel, Coy Hile írta:
> Hi all,
>
> After some time, I'm finally getting around to putting my personal cell back up (this time on debian with openafs-1.6.4 from wheezy-backports and Heimdal.
>
> My afs/cell principal is setup thusly:
>
> kadmin> get afs/coyhile.com
>              Principal: afs/coyhile.com@COYHILE.COM
>      Principal expires: never
>       Password expires: never
>   Last password change: 2013-07-19 10:00:32 UTC
>        Max ticket life: 1 day
>     Max renewable life: 1 week
>                   Kvno: 3
>                  Mkvno: unknown
> Last successful login: never
>      Last failed login: never
>     Failed login count: 0
>          Last modified: 2013-07-19 10:00:32 UTC
>               Modifier: kadmin/admin@COYHILE.COM
>             Attributes:
>               Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[3], des3-cbc-sha1(pw-salt)[3], arcfour-hmac-md5(pw-salt)[3], des-cbc-md5(pw-salt())[3]
>            PK-INIT ACL:
>                Aliases:
Maybe you should remove the non des-cbc ones and couldn't hurt to have a 
des-cbc-crc one as well before generating the KeyFile
> kadmin> ext -k AFSKEYFILE:/etc/openafs/server/KeyFile afs/coyhile.com
> kadmin>
>
> and  in krb5.conf,  I do have allow_weak_crypto = true in libdefaults.
On kdc afs servers and client?
>
> All in all, Heimdal is working fine, but aklog is failing to get me tokens:
>
> chaos:/var/log # kinit admin
> admin@COYHILE.COM's Password:
> chaos:/var/log # klist
> Credentials cache: FILE:/tmp/krb5cc_1141449863_q94vTe
>          Principal: admin@COYHILE.COM
>
>    Issued                Expires               Principal
> Jul 19 10:07:40 2013  Jul 20 10:07:36 2013  krbtgt/COYHILE.COM@COYHILE.COM
> Jul 19 10:07:40 2013  Jul 20 10:07:36 2013  afs/coyhile.com@COYHILE.COM
> chaos:/var/log # aklog -d
> Authenticating to cell coyhile.com (server chaos.coyhile.com).
> Trying to authenticate to user's realm COYHILE.COM.
> Getting tickets: afs/coyhile.com@COYHILE.COM
> Kerberos error code returned by get_cred : -1765328370
> aklog: Couldn't get coyhile.com AFS tickets:
> aklog: unknown RPC error (-1765328370) while getting AFS tickets
> chaos:/var/log #
>
> and in the KDC logs, I see this:
>
> 2013-07-19T10:07:40 ENC-TS Pre-authentication succeeded -- admin@COYHILE.COM using aes256-cts-hmac-sha1-96
> 2013-07-19T10:07:40 ENC-TS pre-authentication succeeded -- admin@COYHILE.COM
> 2013-07-19T10:07:40 AS-REQ authtime: 2013-07-19T10:07:40 starttime: unset endtime: 2013-07-20T10:07:36 renew till: 2013-07-26T10:07:36
> 2013-07-19T10:07:40 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> 2013-07-19T10:07:40 Requested flags: renewable, forwardable
> 2013-07-19T10:07:40 sending 738 bytes to IPv4:37.153.98.57
> 2013-07-19T10:07:40 TGS-REQ admin@COYHILE.COM from IPv4:37.153.98.57 for afs/coyhile.com@COYHILE.COM [canonicalize, renewable, forwardable]
> 2013-07-19T10:07:40 Server (afs/coyhile.com@COYHILE.COM) has no support for etypes
> 2013-07-19T10:07:40 Failed building TGS-REP to IPv4:37.153.98.57
> 2013-07-19T10:07:40 tgs-req: sending error: -1765328370 to client
>
> Does *everything* need a DES key, or just the afs/cell principal?
>
> -c
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
Regards

Geza Gemes