[OpenAFS] Re: AFS + CrossRealm + FreeIPA + Migration

Andrew Deason adeason@sinenomine.net
Mon, 17 Nov 2014 10:14:18 -0600

On Mon, 17 Nov 2014 16:28:51 +0100
Andreas Ladanyi <andreas.ladanyi@kit.edu> wrote:

> I think i solved this issue now:

...but you mentioned it still doesn't work? I don't see how this is

> In none of the above cases the afs service ticket work correctly
> although In the 1. case i have a des-cbc-crc key.
> I cant access my user directory in afs. I get a permission denied error.

Yes, and that is expected. I suppose I have not been clear; you have two
different ways to make this work:

1. Extract a keytab for afs/cell with just DES, and nothing else, just
like you originally did (and add it to the KeyFile). Then get the
FreeIPA KDC and your client machine configured to use DES. If you have
not correctly configured these to let you use DES, then you get the
error you originally saw (-1765328370). If you've already set
allow_weak_crypto on the KDC and the client, then you may need to ask
the FreeIPA people for additional help.

2. Extract a keytab for afs/cell with non-DES enctypes, and install it
in rxkad.keytab. Follow the instructions I mentioned in
<http://openafs.org/pages/security/install-rxkad-k5-1.6.txt> and
<http://openafs.org/pages/security/how-to-rekey.txt> to configure the
servers to use this keytab. If you have not configured the servers to do
this, then you will get errors such as "permission denied", as you have
been getting.

So, follow one of those paths, and you should be able to get
authentication working. Your current setup I believe is following
neither of those approaches, and so it doesn't work. I would think
option 2 is easier, but that's up to you.

Andrew Deason