[OpenAFS] Re: AFS + CrossRealm + FreeIPA + Migration
Andreas Ladanyi
andreas.ladanyi@kit.edu
Mon, 17 Nov 2014 16:28:51 +0100
This is a cryptographically signed message in MIME format.
--------------ms050507060501080708060205
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
> On Tue, 11 Nov 2014 09:28:35 +0100
> Andreas Ladanyi <andreas.ladanyi@kit.edu> wrote:
>
>> No the token from aklog doesnt work fine. I could only list the user
>> directories (name of the users). I could not enter the user directorie=
s.
>> I couldnt enter my own directory. The AFS ID of the token is ok and
>> matches the owner uid of my user directory.
> Okay, that makes more sense; I wouldn't expect that to work, so I was a=
> little confused.
>
> So the reason that aklog "works" in that situation is because using the=
> IPA tool give you an AES key, amongst others. aklog then tries to use
> that AES key, which the KDC allows (since it's not "weak" crypto since
> it's not DES). But you don't have your cell configured to use AES keys,=
> so the token doesn't actually work.
>
>
> On Tue, 11 Nov 2014 11:03:51 +0100
> Andreas Ladanyi <andreas.ladanyi@kit.edu> wrote:
>
>>> Or change what enctype you request like so:
>>>
>>> $ kvno -e des-cbc-crc afs/CELL
>>> $ kvno -e aes256-hmac-cts afs/cell # this should _not_ work
>> kvno -e des-cbc-crc afs/cellname
>> kvno: KDC has no support for encryption type while getting credentials=
>> for afs/cellname@Realm B (the new Realm on FreeIPA)
>>
>> kvno -e aes256-cts-hmac-sha1-96 afs/cellname
>> afs/cellname@Realm B: kvno =3D 1
> Yes, so you need to resolve that before this will work with the KeyFile=
> with single DES.
I think i solved this issue now:
1.)=20
kinit ........
kvno -e des-cbc-crc afs/CELL
afs/cellname@REALM: kvno =3D 1
klist -e for the afs/cellname service ticket:
des-cbc-crc, aes256-cts-hmac-sha1-96
2.)
kinit .....
kvno -e aes256-cts afs/CELL results in:
afs/cellname@REALM: kvno =3D 1
klist -e for the afs/cellname service ticket:
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
3.)
kinit .......
aklog
klist -e shows me a afs service ticket without des-cbc-crc:
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
In none of the above cases the afs service ticket work correctly
although In the 1. case i have a des-cbc-crc key.
I cant access my user directory in afs. I get a permission denied error.
cheers,
Andreas
--------------ms050507060501080708060205
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIP+jCC
BNUwggO9oAMCAQICCFBOxvU9EbRkMA0GCSqGSIb3DQEBCwUAMHExCzAJBgNVBAYTAkRFMRww
GgYDVQQKExNEZXV0c2NoZSBUZWxla29tIEFHMR8wHQYDVQQLExZULVRlbGVTZWMgVHJ1c3Qg
Q2VudGVyMSMwIQYDVQQDExpEZXV0c2NoZSBUZWxla29tIFJvb3QgQ0EgMjAeFw0xNDA3MjIx
MjA4MjZaFw0xOTA3MDkyMzU5MDBaMFoxCzAJBgNVBAYTAkRFMRMwEQYDVQQKEwpERk4tVmVy
ZWluMRAwDgYDVQQLEwdERk4tUEtJMSQwIgYDVQQDExtERk4tVmVyZWluIFBDQSBHbG9iYWwg
LSBHMDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpm8NnhfkNrvWNVMOWUDU9
YuluTO2U1wBblSJ01CDrNI/W7MAxBAuZgeKmFNJSoCgjhIt0iQReW+DieMF4yxbLKDU5ey2Q
RdDtoAB6fL9KDhsAw4bpXCsxEXsM84IkQ4wcOItqaACa7txPeKvSxhObdq3u3ibo7wGvdA/B
CaL2a869080UME/15eOkyGKbghoDJzANAmVgTe3RCSMqljVYJ9N2xnG2kB3E7f81hn1vM7Pb
D8URwoqDoZRdQWvY0hD1TP3KUazZve+Sg7va64sWVlZDz+HVEz2mHycwzUlU28kTNJpxdcVs
6qcLmPkhnSevPqM5OUhqjK3JmfvDEvK9AgMBAAGjggGGMIIBgjAOBgNVHQ8BAf8EBAMCAQYw
HQYDVR0OBBYEFEm3xs/oPR9/6kR7Eyn38QpwPt5kMB8GA1UdIwQYMBaAFDHDeRu69VPXF+CJ
ei0XbAqzK50zMBIGA1UdEwEB/wQIMAYBAf8CAQIwYgYDVR0gBFswWTARBg8rBgEEAYGtIYIs
AQEEAgIwEQYPKwYBBAGBrSGCLAEBBAMAMBEGDysGAQQBga0hgiwBAQQDATAPBg0rBgEEAYGt
IYIsAQEEMA0GCysGAQQBga0hgiweMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9wa2kwMzM2
LnRlbGVzZWMuZGUvcmwvRFRfUk9PVF9DQV8yLmNybDB4BggrBgEFBQcBAQRsMGowLAYIKwYB
BQUHMAGGIGh0dHA6Ly9vY3NwMDMzNi50ZWxlc2VjLmRlL29jc3ByMDoGCCsGAQUFBzAChi5o
dHRwOi8vcGtpMDMzNi50ZWxlc2VjLmRlL2NydC9EVF9ST09UX0NBXzIuY2VyMA0GCSqGSIb3
DQEBCwUAA4IBAQBjICj9nCGGcr45Rlk5MiW8qQGbDczKfUGchm0KbiyzE1l1sTOSG2EnFv/D
stU1gvuEKgFJvWa7Zi+ywgZdbj9u4wFaW8pDY1yVtuExpx/VB19N5mWCTjL5w3x6S81NXHTu
IfJ1AuxSPtLJatOQI25JZzW+f01WpOzML8+3oZeocj7JvEDWWqQIPda8gsO3tzKOsSyOam23
NQIZz/U5RFhjpyQAELC7/E6vbi84u6VXST/YblBvLJeW3B1GmmWJz67M8uXZn1OzPqEvkqnY
C8aEHwTG6x7on321e6UC8STFJGMRNMxakyAqeYg6JUKQqWU7fIbTEhUjKfws2sw5W1QXMIIF
hTCCBG2gAwIBAgIHGG3Jfo2QSjANBgkqhkiG9w0BAQsFADCBvzELMAkGA1UEBhMCREUxGzAZ
BgNVBAgTEkJhZGVuLVd1ZXJ0dGVtYmVyZzESMBAGA1UEBxMJS2FybHNydWhlMSowKAYDVQQK
EyFLYXJsc3J1aGUgSW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kxJzAlBgNVBAsTHlN0ZWluYnVj
aCBDZW50cmUgZm9yIENvbXB1dGluZzEPMA0GA1UEAxMGS0lULUNBMRkwFwYJKoZIhvcNAQkB
FgpjYUBraXQuZWR1MB4XDTE0MTAyNzEzNDMxMFoXDTE3MTAyNjEzNDMxMFowUzELMAkGA1UE
BhMCREUxKjAoBgNVBAoTIUthcmxzcnVoZSBJbnN0aXR1dGUgb2YgVGVjaG5vbG9neTEYMBYG
A1UEAxMPQW5kcmVhcyBMYWRhbnlpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
tL0UuEE0MQWYP5MZOt+SBBDmGHZDf99xUzsFwyxvBaoS3TBZC/hul8ylNsOTrOvNbdJFOPTB
izqfYQGf+JIxAgPomyG4jomQvMXhKXcf/obhf5lj2eBN0np/wLktMvFvj+HIEBh38/1o3ZXE
SV4aMhvNW9VO116K0fh3/7TElksZ95zNj77js/JoEMQB8mGw27hw5u8VOKrDEWuzTBu4M7Vg
MdzNrYi+m3AiYv1m110i6rJ4otbThGRfcEbDHwqfONfminidzyS4aHpNyO7U98xmn360m8qs
q3smEn7XRGRgVlpzu7lNuJ8AvKZGPrM4OJ1Rhgxo5enuS1XVw29IBwIDAQABo4IB7zCCAesw
QAYDVR0gBDkwNzARBg8rBgEEAYGtIYIsAQEEAwIwEQYPKwYBBAGBrSGCLAIBBAMBMA8GDSsG
AQQBga0hgiwBAQQwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUH
AwIGCCsGAQUFBwMEMB0GA1UdDgQWBBRSBxcWWTqn7d35eE0sUlWSXfPOizAfBgNVHSMEGDAW
gBQfdGX0mh169jHp32EbcysNbdAzSTAiBgNVHREEGzAZgRdhbmRyZWFzLmxhZGFueWlAa2l0
LmVkdTB3BgNVHR8EcDBuMDWgM6Axhi9odHRwOi8vY2RwMS5wY2EuZGZuLmRlL2tpdC1jYS9w
dWIvY3JsL2NhY3JsLmNybDA1oDOgMYYvaHR0cDovL2NkcDIucGNhLmRmbi5kZS9raXQtY2Ev
cHViL2NybC9jYWNybC5jcmwwgZIGCCsGAQUFBwEBBIGFMIGCMD8GCCsGAQUFBzAChjNodHRw
Oi8vY2RwMS5wY2EuZGZuLmRlL2tpdC1jYS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwPwYIKwYB
BQUHMAKGM2h0dHA6Ly9jZHAyLnBjYS5kZm4uZGUva2l0LWNhL3B1Yi9jYWNlcnQvY2FjZXJ0
LmNydDANBgkqhkiG9w0BAQsFAAOCAQEALmsJ+qKYuD1TTYxYAYcOUc7Pw3SBI+PX941ze1n2
coAeuXY2Ldd2lrjyirS8eHuPCZihmbVlMe/26WqBwDLN/vk7FC5c0aatidQz6MoquWJWnHSj
1XlB/AOv9aD4tKLHURw7ejFvY3imott/vrLJrt2WjYvPaMvwAoZKgTY2bXEZQjWYnGJRthuK
1OG4CFJlQphREiewuqzjCxABnC3Rmo7BWy/yGeMGSkMsTg+uhOwv8568KtJE3z4uTWtN1w0d
T1uI1/uJ5jrsyoodUg/q31lGGgtrmElCwrHJSk+6Hp6KCXilzY9d/N/CQXkHnNLu6aDgc8gX
n9Y/cLepRKKZvzCCBZQwggR8oAMCAQICBxev928jIukwDQYJKoZIhvcNAQELBQAwWjELMAkG
A1UEBhMCREUxEzARBgNVBAoTCkRGTi1WZXJlaW4xEDAOBgNVBAsTB0RGTi1QS0kxJDAiBgNV
BAMTG0RGTi1WZXJlaW4gUENBIEdsb2JhbCAtIEcwMTAeFw0xNDA2MDUxNDA4MzFaFw0xOTA3
MDkyMzU5MDBaMIG/MQswCQYDVQQGEwJERTEbMBkGA1UECBMSQmFkZW4tV3VlcnR0ZW1iZXJn
MRIwEAYDVQQHEwlLYXJsc3J1aGUxKjAoBgNVBAoTIUthcmxzcnVoZSBJbnN0aXR1dGUgb2Yg
VGVjaG5vbG9neTEnMCUGA1UECxMeU3RlaW5idWNoIENlbnRyZSBmb3IgQ29tcHV0aW5nMQ8w
DQYDVQQDEwZLSVQtQ0ExGTAXBgkqhkiG9w0BCQEWCmNhQGtpdC5lZHUwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDMsqiKiaKAQVEpL20dPB0IejTRPrajRK7mwwXpqBo/APNN
8IPtcb16pITtb5wQAaeVPvu8YA+bi5U3Dm/xeFBayQQcvUAp04cwm/nqhvveCMOpvC41qgiq
K/ZSsDQlIre78zQDgndK9IjQmFdv8XCvLR0h8N5hl4L8H2NBfY9eJ1BIPZ3eZD6tAMPYkBw7
mJzs9wPDVU6V6Uws4kEwmSUGBEw7Avp8p0DdrLwJgFd1dRyUXvwA+oncv+hzdBLQCDj5RNac
deDRUuEmalJPxeLw/KcUs/2FMGwhiuCB9+1fW3G0JgPDTTSgbRS6l9faL7kJ99pUcElvws9x
4/s0kT9zAgMBAAGjggH3MIIB8zASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIB
BjARBgNVHSAECjAIMAYGBFUdIAAwHQYDVR0OBBYEFB90ZfSaHXr2MenfYRtzKw1t0DNJMB8G
A1UdIwQYMBaAFEm3xs/oPR9/6kR7Eyn38QpwPt5kMBUGA1UdEQQOMAyBCmNhQGtpdC5lZHUw
gYgGA1UdHwSBgDB+MD2gO6A5hjdodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2dsb2JhbC1yb290
LWNhL3B1Yi9jcmwvY2FjcmwuY3JsMD2gO6A5hjdodHRwOi8vY2RwMi5wY2EuZGZuLmRlL2ds
b2JhbC1yb290LWNhL3B1Yi9jcmwvY2FjcmwuY3JsMIHXBggrBgEFBQcBAQSByjCBxzAzBggr
BgEFBQcwAYYnaHR0cDovL29jc3AucGNhLmRmbi5kZS9PQ1NQLVNlcnZlci9PQ1NQMEcGCCsG
AQUFBzAChjtodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2dsb2JhbC1yb290LWNhL3B1Yi9jYWNl
cnQvY2FjZXJ0LmNydDBHBggrBgEFBQcwAoY7aHR0cDovL2NkcDIucGNhLmRmbi5kZS9nbG9i
YWwtcm9vdC1jYS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwDQYJKoZIhvcNAQELBQADggEBADoW
Jv/UVyB9nfsoym9xKp8a7sOLa4XSPU/xrKF4Dp3UdlKdzDK2JvzCziF50SiH54ZuKbsKUa6Y
XwHiWHO7tsUW2+r6cnbf6FGcvylyeOtetQsoKvB2bMhEG0fn1B4+9k5IuXJpcQSHiKZhRa/l
qNWO95hKHvhtUO8dlTYtlTaSEmv6RAcfw2JcYKiB2GC97h3YpwimDC15sfzwYdnhTdSXF54C
VPgwHPL85cR/YI7KlQtjvI6yz14mma7ffYN6W7UBDPPc/5emiYIgxbwEBFZ5orfkvPtfeJUu
T3FI7RBmE8mPl/betefdZzqF1F357emrpuGH9gZbJp98SgruQqgxggSCMIIEfgIBATCByzCB
vzELMAkGA1UEBhMCREUxGzAZBgNVBAgTEkJhZGVuLVd1ZXJ0dGVtYmVyZzESMBAGA1UEBxMJ
S2FybHNydWhlMSowKAYDVQQKEyFLYXJsc3J1aGUgSW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kx
JzAlBgNVBAsTHlN0ZWluYnVjaCBDZW50cmUgZm9yIENvbXB1dGluZzEPMA0GA1UEAxMGS0lU
LUNBMRkwFwYJKoZIhvcNAQkBFgpjYUBraXQuZWR1AgcYbcl+jZBKMAkGBSsOAwIaBQCgggKL
MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE0MTExNzE1Mjg1
MVowIwYJKoZIhvcNAQkEMRYEFBjth5tRUjTiqGRbwCz/VpVzijbgMGwGCSqGSIb3DQEJDzFf
MF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC
AIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgdwGCSsGAQQBgjcQ
BDGBzjCByzCBvzELMAkGA1UEBhMCREUxGzAZBgNVBAgTEkJhZGVuLVd1ZXJ0dGVtYmVyZzES
MBAGA1UEBxMJS2FybHNydWhlMSowKAYDVQQKEyFLYXJsc3J1aGUgSW5zdGl0dXRlIG9mIFRl
Y2hub2xvZ3kxJzAlBgNVBAsTHlN0ZWluYnVjaCBDZW50cmUgZm9yIENvbXB1dGluZzEPMA0G
A1UEAxMGS0lULUNBMRkwFwYJKoZIhvcNAQkBFgpjYUBraXQuZWR1AgcYbcl+jZBKMIHeBgsq
hkiG9w0BCRACCzGBzqCByzCBvzELMAkGA1UEBhMCREUxGzAZBgNVBAgTEkJhZGVuLVd1ZXJ0
dGVtYmVyZzESMBAGA1UEBxMJS2FybHNydWhlMSowKAYDVQQKEyFLYXJsc3J1aGUgSW5zdGl0
dXRlIG9mIFRlY2hub2xvZ3kxJzAlBgNVBAsTHlN0ZWluYnVjaCBDZW50cmUgZm9yIENvbXB1
dGluZzEPMA0GA1UEAxMGS0lULUNBMRkwFwYJKoZIhvcNAQkBFgpjYUBraXQuZWR1AgcYbcl+
jZBKMA0GCSqGSIb3DQEBAQUABIIBABpz80jXDwunCntBfiEzC4X8e4JW5D2Loq1WTdFLyhf5
P1PIA5mz+RqqLpnpETF933Bwt2L9AXZF/DhAgUy6Y8VO9Bv1/l/KzEfHUbwiXS8+DYI0983a
HUOtJLvFeP8XtSK4bXN0DYFqbT2x7nbQtxtFxdzXvYQL9xPeZREG2qD0nf8GFaTdC9ekshUE
tiHY2/eDfgQ+g5tACk60ifxB2UFYs4Z+ClitZEzRn2jqLdlINuueqoVJfyJkUk4siZu4zj+x
INkz43cZO4U7NAeBCkr3MBsRJfKdcHKyOKpNoVWxSEiQ4006P0y9rwige42PBPEsG7vUQUXV
xU8MGfc7iBwAAAAAAAA=
--------------ms050507060501080708060205--