[OpenAFS] Re: AFS + CrossRealm + FreeIPA + Migration

Andreas Ladanyi andreas.ladanyi@kit.edu
Mon, 10 Nov 2014 10:09:54 +0100


This is a cryptographically signed message in MIME format.

--------------ms050902020902020905050508
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

Hi,
> On Fri, 07 Nov 2014 16:05:11 +0100
> Andreas Ladanyi <andreas.ladanyi@kit.edu> wrote:
>
>> sorry i didnt told that. In FreeIPA you must enable the DES salttype. =
I
>> enabled the des-cbc-crc:normal and des-cbc-crc:v4.
> I'm not too familiar with FreeIPA, but usually you need to enable "weak=

> enctypes" separately from enabling DES specifically. That is, you need
> to turn on those specific enctypes (for the principal, and possibly for=

> the whole KDC), but you also need to enable "weak crypto" in krb5.conf
> like Brandon mentioned.
>
> Or maybe what you did for this was correct, and something else is the
> problem. I'm sending some other things to try out in a moment.
I solved the problem but im not exactly sure why it works now :-)

In the past i firstly created a principal in FreeIPA Kerberos with
kadmin.local tool named "afs/cellname@REALM" with one key:

Key: vno 2, des-cbc-crc, no salt

The result was the OpenAFS error message: Kerberos error code returned
by get_cred : -1765328370, KRB5KDC_ERR_ETYPE_NOSUPP

To solve the problem it was enough to use FreeIPA command
"ipa-getkeytab". This command generate 7 new keys for the
"afs/cellname@REALM" principal. The DES key is also generated because i
enabled it in FreeIPA.

Key: vno 2, aes256-cts-hmac-sha1-96, no salt
Key: vno 2, aes128-cts-hmac-sha1-96, no salt
Key: vno 2, des3-cbc-sha1, no salt
Key: vno 2, arcfour-hmac, no salt
Key: vno 2, camellia128-cts-cmac, no salt
Key: vno 2, camellia256-cts-cmac, no salt
Key: vno 2, des-cbc-crc, no salt


Now aklog works and i can get a AFS token. Why are all this keys
important for aklog ? Or which key exeptly the DES key is important ?

cheers,
Andreas




--------------ms050902020902020905050508
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIP+jCC
BNUwggO9oAMCAQICCFBOxvU9EbRkMA0GCSqGSIb3DQEBCwUAMHExCzAJBgNVBAYTAkRFMRww
GgYDVQQKExNEZXV0c2NoZSBUZWxla29tIEFHMR8wHQYDVQQLExZULVRlbGVTZWMgVHJ1c3Qg
Q2VudGVyMSMwIQYDVQQDExpEZXV0c2NoZSBUZWxla29tIFJvb3QgQ0EgMjAeFw0xNDA3MjIx
MjA4MjZaFw0xOTA3MDkyMzU5MDBaMFoxCzAJBgNVBAYTAkRFMRMwEQYDVQQKEwpERk4tVmVy
ZWluMRAwDgYDVQQLEwdERk4tUEtJMSQwIgYDVQQDExtERk4tVmVyZWluIFBDQSBHbG9iYWwg
LSBHMDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpm8NnhfkNrvWNVMOWUDU9
YuluTO2U1wBblSJ01CDrNI/W7MAxBAuZgeKmFNJSoCgjhIt0iQReW+DieMF4yxbLKDU5ey2Q
RdDtoAB6fL9KDhsAw4bpXCsxEXsM84IkQ4wcOItqaACa7txPeKvSxhObdq3u3ibo7wGvdA/B
CaL2a869080UME/15eOkyGKbghoDJzANAmVgTe3RCSMqljVYJ9N2xnG2kB3E7f81hn1vM7Pb
D8URwoqDoZRdQWvY0hD1TP3KUazZve+Sg7va64sWVlZDz+HVEz2mHycwzUlU28kTNJpxdcVs
6qcLmPkhnSevPqM5OUhqjK3JmfvDEvK9AgMBAAGjggGGMIIBgjAOBgNVHQ8BAf8EBAMCAQYw
HQYDVR0OBBYEFEm3xs/oPR9/6kR7Eyn38QpwPt5kMB8GA1UdIwQYMBaAFDHDeRu69VPXF+CJ
ei0XbAqzK50zMBIGA1UdEwEB/wQIMAYBAf8CAQIwYgYDVR0gBFswWTARBg8rBgEEAYGtIYIs
AQEEAgIwEQYPKwYBBAGBrSGCLAEBBAMAMBEGDysGAQQBga0hgiwBAQQDATAPBg0rBgEEAYGt
IYIsAQEEMA0GCysGAQQBga0hgiweMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9wa2kwMzM2
LnRlbGVzZWMuZGUvcmwvRFRfUk9PVF9DQV8yLmNybDB4BggrBgEFBQcBAQRsMGowLAYIKwYB
BQUHMAGGIGh0dHA6Ly9vY3NwMDMzNi50ZWxlc2VjLmRlL29jc3ByMDoGCCsGAQUFBzAChi5o
dHRwOi8vcGtpMDMzNi50ZWxlc2VjLmRlL2NydC9EVF9ST09UX0NBXzIuY2VyMA0GCSqGSIb3
DQEBCwUAA4IBAQBjICj9nCGGcr45Rlk5MiW8qQGbDczKfUGchm0KbiyzE1l1sTOSG2EnFv/D
stU1gvuEKgFJvWa7Zi+ywgZdbj9u4wFaW8pDY1yVtuExpx/VB19N5mWCTjL5w3x6S81NXHTu
IfJ1AuxSPtLJatOQI25JZzW+f01WpOzML8+3oZeocj7JvEDWWqQIPda8gsO3tzKOsSyOam23
NQIZz/U5RFhjpyQAELC7/E6vbi84u6VXST/YblBvLJeW3B1GmmWJz67M8uXZn1OzPqEvkqnY
C8aEHwTG6x7on321e6UC8STFJGMRNMxakyAqeYg6JUKQqWU7fIbTEhUjKfws2sw5W1QXMIIF
hTCCBG2gAwIBAgIHGG3Jfo2QSjANBgkqhkiG9w0BAQsFADCBvzELMAkGA1UEBhMCREUxGzAZ
BgNVBAgTEkJhZGVuLVd1ZXJ0dGVtYmVyZzESMBAGA1UEBxMJS2FybHNydWhlMSowKAYDVQQK
EyFLYXJsc3J1aGUgSW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kxJzAlBgNVBAsTHlN0ZWluYnVj
aCBDZW50cmUgZm9yIENvbXB1dGluZzEPMA0GA1UEAxMGS0lULUNBMRkwFwYJKoZIhvcNAQkB
FgpjYUBraXQuZWR1MB4XDTE0MTAyNzEzNDMxMFoXDTE3MTAyNjEzNDMxMFowUzELMAkGA1UE
BhMCREUxKjAoBgNVBAoTIUthcmxzcnVoZSBJbnN0aXR1dGUgb2YgVGVjaG5vbG9neTEYMBYG
A1UEAxMPQW5kcmVhcyBMYWRhbnlpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
tL0UuEE0MQWYP5MZOt+SBBDmGHZDf99xUzsFwyxvBaoS3TBZC/hul8ylNsOTrOvNbdJFOPTB
izqfYQGf+JIxAgPomyG4jomQvMXhKXcf/obhf5lj2eBN0np/wLktMvFvj+HIEBh38/1o3ZXE
SV4aMhvNW9VO116K0fh3/7TElksZ95zNj77js/JoEMQB8mGw27hw5u8VOKrDEWuzTBu4M7Vg
MdzNrYi+m3AiYv1m110i6rJ4otbThGRfcEbDHwqfONfminidzyS4aHpNyO7U98xmn360m8qs
q3smEn7XRGRgVlpzu7lNuJ8AvKZGPrM4OJ1Rhgxo5enuS1XVw29IBwIDAQABo4IB7zCCAesw
QAYDVR0gBDkwNzARBg8rBgEEAYGtIYIsAQEEAwIwEQYPKwYBBAGBrSGCLAIBBAMBMA8GDSsG
AQQBga0hgiwBAQQwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUH
AwIGCCsGAQUFBwMEMB0GA1UdDgQWBBRSBxcWWTqn7d35eE0sUlWSXfPOizAfBgNVHSMEGDAW
gBQfdGX0mh169jHp32EbcysNbdAzSTAiBgNVHREEGzAZgRdhbmRyZWFzLmxhZGFueWlAa2l0
LmVkdTB3BgNVHR8EcDBuMDWgM6Axhi9odHRwOi8vY2RwMS5wY2EuZGZuLmRlL2tpdC1jYS9w
dWIvY3JsL2NhY3JsLmNybDA1oDOgMYYvaHR0cDovL2NkcDIucGNhLmRmbi5kZS9raXQtY2Ev
cHViL2NybC9jYWNybC5jcmwwgZIGCCsGAQUFBwEBBIGFMIGCMD8GCCsGAQUFBzAChjNodHRw
Oi8vY2RwMS5wY2EuZGZuLmRlL2tpdC1jYS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwPwYIKwYB
BQUHMAKGM2h0dHA6Ly9jZHAyLnBjYS5kZm4uZGUva2l0LWNhL3B1Yi9jYWNlcnQvY2FjZXJ0
LmNydDANBgkqhkiG9w0BAQsFAAOCAQEALmsJ+qKYuD1TTYxYAYcOUc7Pw3SBI+PX941ze1n2
coAeuXY2Ldd2lrjyirS8eHuPCZihmbVlMe/26WqBwDLN/vk7FC5c0aatidQz6MoquWJWnHSj
1XlB/AOv9aD4tKLHURw7ejFvY3imott/vrLJrt2WjYvPaMvwAoZKgTY2bXEZQjWYnGJRthuK
1OG4CFJlQphREiewuqzjCxABnC3Rmo7BWy/yGeMGSkMsTg+uhOwv8568KtJE3z4uTWtN1w0d
T1uI1/uJ5jrsyoodUg/q31lGGgtrmElCwrHJSk+6Hp6KCXilzY9d/N/CQXkHnNLu6aDgc8gX
n9Y/cLepRKKZvzCCBZQwggR8oAMCAQICBxev928jIukwDQYJKoZIhvcNAQELBQAwWjELMAkG
A1UEBhMCREUxEzARBgNVBAoTCkRGTi1WZXJlaW4xEDAOBgNVBAsTB0RGTi1QS0kxJDAiBgNV
BAMTG0RGTi1WZXJlaW4gUENBIEdsb2JhbCAtIEcwMTAeFw0xNDA2MDUxNDA4MzFaFw0xOTA3
MDkyMzU5MDBaMIG/MQswCQYDVQQGEwJERTEbMBkGA1UECBMSQmFkZW4tV3VlcnR0ZW1iZXJn
MRIwEAYDVQQHEwlLYXJsc3J1aGUxKjAoBgNVBAoTIUthcmxzcnVoZSBJbnN0aXR1dGUgb2Yg
VGVjaG5vbG9neTEnMCUGA1UECxMeU3RlaW5idWNoIENlbnRyZSBmb3IgQ29tcHV0aW5nMQ8w
DQYDVQQDEwZLSVQtQ0ExGTAXBgkqhkiG9w0BCQEWCmNhQGtpdC5lZHUwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDMsqiKiaKAQVEpL20dPB0IejTRPrajRK7mwwXpqBo/APNN
8IPtcb16pITtb5wQAaeVPvu8YA+bi5U3Dm/xeFBayQQcvUAp04cwm/nqhvveCMOpvC41qgiq
K/ZSsDQlIre78zQDgndK9IjQmFdv8XCvLR0h8N5hl4L8H2NBfY9eJ1BIPZ3eZD6tAMPYkBw7
mJzs9wPDVU6V6Uws4kEwmSUGBEw7Avp8p0DdrLwJgFd1dRyUXvwA+oncv+hzdBLQCDj5RNac
deDRUuEmalJPxeLw/KcUs/2FMGwhiuCB9+1fW3G0JgPDTTSgbRS6l9faL7kJ99pUcElvws9x
4/s0kT9zAgMBAAGjggH3MIIB8zASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIB
BjARBgNVHSAECjAIMAYGBFUdIAAwHQYDVR0OBBYEFB90ZfSaHXr2MenfYRtzKw1t0DNJMB8G
A1UdIwQYMBaAFEm3xs/oPR9/6kR7Eyn38QpwPt5kMBUGA1UdEQQOMAyBCmNhQGtpdC5lZHUw
gYgGA1UdHwSBgDB+MD2gO6A5hjdodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2dsb2JhbC1yb290
LWNhL3B1Yi9jcmwvY2FjcmwuY3JsMD2gO6A5hjdodHRwOi8vY2RwMi5wY2EuZGZuLmRlL2ds
b2JhbC1yb290LWNhL3B1Yi9jcmwvY2FjcmwuY3JsMIHXBggrBgEFBQcBAQSByjCBxzAzBggr
BgEFBQcwAYYnaHR0cDovL29jc3AucGNhLmRmbi5kZS9PQ1NQLVNlcnZlci9PQ1NQMEcGCCsG
AQUFBzAChjtodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2dsb2JhbC1yb290LWNhL3B1Yi9jYWNl
cnQvY2FjZXJ0LmNydDBHBggrBgEFBQcwAoY7aHR0cDovL2NkcDIucGNhLmRmbi5kZS9nbG9i
YWwtcm9vdC1jYS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwDQYJKoZIhvcNAQELBQADggEBADoW
Jv/UVyB9nfsoym9xKp8a7sOLa4XSPU/xrKF4Dp3UdlKdzDK2JvzCziF50SiH54ZuKbsKUa6Y
XwHiWHO7tsUW2+r6cnbf6FGcvylyeOtetQsoKvB2bMhEG0fn1B4+9k5IuXJpcQSHiKZhRa/l
qNWO95hKHvhtUO8dlTYtlTaSEmv6RAcfw2JcYKiB2GC97h3YpwimDC15sfzwYdnhTdSXF54C
VPgwHPL85cR/YI7KlQtjvI6yz14mma7ffYN6W7UBDPPc/5emiYIgxbwEBFZ5orfkvPtfeJUu
T3FI7RBmE8mPl/betefdZzqF1F357emrpuGH9gZbJp98SgruQqgxggSCMIIEfgIBATCByzCB
vzELMAkGA1UEBhMCREUxGzAZBgNVBAgTEkJhZGVuLVd1ZXJ0dGVtYmVyZzESMBAGA1UEBxMJ
S2FybHNydWhlMSowKAYDVQQKEyFLYXJsc3J1aGUgSW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kx
JzAlBgNVBAsTHlN0ZWluYnVjaCBDZW50cmUgZm9yIENvbXB1dGluZzEPMA0GA1UEAxMGS0lU
LUNBMRkwFwYJKoZIhvcNAQkBFgpjYUBraXQuZWR1AgcYbcl+jZBKMAkGBSsOAwIaBQCgggKL
MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE0MTExMDA5MDk1
NFowIwYJKoZIhvcNAQkEMRYEFCXD+ytLypN1fEoKdi6baNHTYyV+MGwGCSqGSIb3DQEJDzFf
MF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC
AIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgdwGCSsGAQQBgjcQ
BDGBzjCByzCBvzELMAkGA1UEBhMCREUxGzAZBgNVBAgTEkJhZGVuLVd1ZXJ0dGVtYmVyZzES
MBAGA1UEBxMJS2FybHNydWhlMSowKAYDVQQKEyFLYXJsc3J1aGUgSW5zdGl0dXRlIG9mIFRl
Y2hub2xvZ3kxJzAlBgNVBAsTHlN0ZWluYnVjaCBDZW50cmUgZm9yIENvbXB1dGluZzEPMA0G
A1UEAxMGS0lULUNBMRkwFwYJKoZIhvcNAQkBFgpjYUBraXQuZWR1AgcYbcl+jZBKMIHeBgsq
hkiG9w0BCRACCzGBzqCByzCBvzELMAkGA1UEBhMCREUxGzAZBgNVBAgTEkJhZGVuLVd1ZXJ0
dGVtYmVyZzESMBAGA1UEBxMJS2FybHNydWhlMSowKAYDVQQKEyFLYXJsc3J1aGUgSW5zdGl0
dXRlIG9mIFRlY2hub2xvZ3kxJzAlBgNVBAsTHlN0ZWluYnVjaCBDZW50cmUgZm9yIENvbXB1
dGluZzEPMA0GA1UEAxMGS0lULUNBMRkwFwYJKoZIhvcNAQkBFgpjYUBraXQuZWR1AgcYbcl+
jZBKMA0GCSqGSIb3DQEBAQUABIIBABi9ZxGWvIiIKmNtl8uHBsUs3o0sU6kggyXFUCIznLqU
Cyl++C99GyIEncJgcwkvK0DneERVdNx9L+J3iIgQACt1Hp3EN9GjWBVr54rSdjlZPwR+e0HM
GrrX0ZoU7xpPI0y21z+JDgHx2xSggyeylToNMj2rjs8t/knuwCtEYURj8faUD2qKXl/lWxNM
7j9c4n+juuXHH9jLAUsYbAyVJ40QkzjPpD8bATCOSDXlzN0nC+74OoyWTuRgEnG9rFbuH96Y
C1gNAA5pDBOHAJHM/s3oKzIZWgMP8irWuNkYfJs13zF2nVNGHKun+o91h9rjBFnXKS7bGPeg
yPOXvyyJ2AkAAAAAAAA=
--------------ms050902020902020905050508--