[OpenAFS] any experiences with OpenAFS client on the upcoming MacOS 10.10 (yosemite) release?

Jan Pospíšil honik@kma.zcu.cz
Wed, 22 Oct 2014 11:42:48 +0200


I have just upgraded from 10.9 with installed OpenAFS client 1.6.6 to 
10.10 (without reinstalling the OpenAFS client) and I am not able to get 
tokens even with aklog.

I noticed the discussion about similar issue in openafs-devel sometimes 
in July/August, (thread: [OpenAFS-devel] Re: aklog on OS X does not 
contact KDC to obtain AFS serivce principal) and detected that the 
problem is with the encryption type of our afs/zcu.cz@ZCU.CZ keys, that 
are still of the des-cbc-crc type that I understand is now not supported 
in the default kerberos installation in Yosemite.

So far (in 10.9) it was sufficient to have
allow_weak_crypto = yes
in the [libdefaults] in /etc/krb5.conf
(or at least in /var/db/openafs/etc/krb5-weak.conf).

and in the same section in /etc/krb5.conf for example

     default_tgs_enctypes = aes256-cts des3-hmac-sha1 des3-cbc-sha1 
des-cbc-md5 des-cbc-crc
     default_tkt_enctypes = aes256-cts des3-hmac-sha1 des3-cbc-sha1 
des-cbc-md5 des-cbc-crc
     permitted_enctypes = aes256-cts des3-hmac-sha1 des3-cbc-sha1 
des-cbc-md5 des-cbc-crc

However this does not seem to be sufficient now. I get:

$ klist -v
Credentials cache: API:D0D39731-07E4-48E9-951F-0EB30CD701CC
         Principal: honik@ZCU.CZ
     Cache version: 0

Server: krbtgt/ZCU.CZ@ZCU.CZ
Client: honik@ZCU.CZ
Ticket etype: des3-cbc-sha1, kvno 2
Session key: aes256-cts-hmac-sha1-96
Ticket length: 338
Auth time:  Oct 22 11:30:37 2014
End time:   Oct 22 21:30:36 2014
Renew till: Nov 21 10:30:36 2014
Ticket flags: enc-pa-rep, pre-authent, initial, renewable, forwardable
Addresses: addressless

$ aklog -d
Authenticating to cell zcu.cz (server sauron.zcu.cz).
Trying to authenticate to user's realm ZCU.CZ.
Getting tickets: afs/zcu.cz@ZCU.CZ
Kerberos error code returned by get_cred : -1765328370
aklog: Couldn't get zcu.cz AFS tickets:
aklog: unknown RPC error (-1765328370) while getting AFS tickets

and for example:

$ kgetcred afs/zcu.cz@ZCU.CZ
kgetcred: krb5_get_creds: Error from KDC: BAD_ENCRYPTION_TYPE

$ kgetcred -e des-cbc-crc afs/zcu.cz@ZCU.CZ
kgetcred: unrecognized enctype: des-cbc-crc
(and the command even does not try to contact the KDC).

Is there a way one can force the default kerberos in Yosemite to
allow-weak-crypto? Or do I have to install for example the MIT or 
Heimdal kerboeros separately as a workaround before our keys will be 
upgraded to a different encryption type (may take rather long time)?

Thank you for your suggestions in advance.

Kind Regards
Jan Pospisil

Jan Pospisil, Ph.D.           e-mail: honik@kma.zcu.cz
University of West Bohemia    phone:  (+420) 37763-2675
Department of Mathematics     fax:    (+420) 37763-2602
Plzen, Czech Republic         address: Univerzitni 22, 306 14