[OpenAFS] Re: AFS + CrossRealm + FreeIPA + Migration

Andrew Deason adeason@sinenomine.net
Tue, 11 Nov 2014 10:09:18 -0600

On Tue, 11 Nov 2014 09:28:35 +0100
Andreas Ladanyi <andreas.ladanyi@kit.edu> wrote:

> No the token from aklog doesnt work fine. I could only list the user
> directories (name of the users). I could not enter the user directories.
> I couldnt enter my own directory. The AFS ID of the token is ok and
> matches the owner uid of my user directory.

Okay, that makes more sense; I wouldn't expect that to work, so I was a
little confused.

So the reason that aklog "works" in that situation is because using the
IPA tool give you an AES key, amongst others. aklog then tries to use
that AES key, which the KDC allows (since it's not "weak" crypto since
it's not DES). But you don't have your cell configured to use AES keys,
so the token doesn't actually work.

On Tue, 11 Nov 2014 11:03:51 +0100
Andreas Ladanyi <andreas.ladanyi@kit.edu> wrote:

> > Or change what enctype you request like so:
> >
> > $ kvno -e des-cbc-crc afs/CELL
> > $ kvno -e aes256-hmac-cts afs/cell # this should _not_ work
> kvno -e des-cbc-crc afs/cellname
> kvno: KDC has no support for encryption type while getting credentials
> for afs/cellname@Realm B (the new Realm on FreeIPA)
> kvno -e aes256-cts-hmac-sha1-96  afs/cellname
> afs/cellname@Realm B: kvno = 1

Yes, so you need to resolve that before this will work with the KeyFile
with single DES.

However, I should note that since you're migrating to afs/cell@REALM_B,
you have an opportunity to migrate to what is called "rxkad-k5", which
allows AFS to use non-DES keys such as aes. Are you trying to avoid
doing this, or were you maybe not aware that this exists?

This might be easier for you to configure than trying to figure out what
flags and settings and such you need to set in the KDC to let you use
single DES; and of course, using non-DES is more secure and preferred.
But you can only do this if all of your openafs servers are running
1.6.5 or newer; and if your KDC is refusing to use single-DES, you may
have trouble using 'aklog' with clients that are older tahn 1.6.5.

If you want to try that approach, turn DES _off_ for AFS on the REALM_B
KDC, and extract a new keytab for afs/cell@REALM. Make sure that the
kvnos in this keytab are different than any of the kvnos in your
existing KeyFile. To install the new keytab, instead of using asetkey or
doing anything with the 'KeyFile', just copy that keytab to
/usr/afs/etc/rxkad.keytab (or equivalent location; put it in the same
dir that the 'KeyFile' is).

More information about this can be found here:
<http://openafs.org/pages/security/install-rxkad-k5-1.6.txt> and here:
<http://openafs.org/pages/security/how-to-rekey.txt>, but those
documents are written with the idea of migrating existing cells and
realms. You can sort-of follow the instructions for the "afs/cell
Transition Procedure", since migrating to a new realm is somewhat

Andrew Deason