[OpenAFS] any experiences with OpenAFS client on the upcoming
MacOS 10.10 (yosemite) release?
Wed, 22 Oct 2014 11:42:48 +0200
I have just upgraded from 10.9 with installed OpenAFS client 1.6.6 to
10.10 (without reinstalling the OpenAFS client) and I am not able to get
tokens even with aklog.
I noticed the discussion about similar issue in openafs-devel sometimes
in July/August, (thread: [OpenAFS-devel] Re: aklog on OS X does not
contact KDC to obtain AFS serivce principal) and detected that the
problem is with the encryption type of our afs/zcu.cz@ZCU.CZ keys, that
are still of the des-cbc-crc type that I understand is now not supported
in the default kerberos installation in Yosemite.
So far (in 10.9) it was sufficient to have
allow_weak_crypto = yes
in the [libdefaults] in /etc/krb5.conf
(or at least in /var/db/openafs/etc/krb5-weak.conf).
and in the same section in /etc/krb5.conf for example
default_tgs_enctypes = aes256-cts des3-hmac-sha1 des3-cbc-sha1
default_tkt_enctypes = aes256-cts des3-hmac-sha1 des3-cbc-sha1
permitted_enctypes = aes256-cts des3-hmac-sha1 des3-cbc-sha1
However this does not seem to be sufficient now. I get:
$ klist -v
Credentials cache: API:D0D39731-07E4-48E9-951F-0EB30CD701CC
Cache version: 0
Ticket etype: des3-cbc-sha1, kvno 2
Session key: aes256-cts-hmac-sha1-96
Ticket length: 338
Auth time: Oct 22 11:30:37 2014
End time: Oct 22 21:30:36 2014
Renew till: Nov 21 10:30:36 2014
Ticket flags: enc-pa-rep, pre-authent, initial, renewable, forwardable
$ aklog -d
Authenticating to cell zcu.cz (server sauron.zcu.cz).
Trying to authenticate to user's realm ZCU.CZ.
Getting tickets: afs/zcu.cz@ZCU.CZ
Kerberos error code returned by get_cred : -1765328370
aklog: Couldn't get zcu.cz AFS tickets:
aklog: unknown RPC error (-1765328370) while getting AFS tickets
and for example:
$ kgetcred afs/zcu.cz@ZCU.CZ
kgetcred: krb5_get_creds: Error from KDC: BAD_ENCRYPTION_TYPE
$ kgetcred -e des-cbc-crc afs/zcu.cz@ZCU.CZ
kgetcred: unrecognized enctype: des-cbc-crc
(and the command even does not try to contact the KDC).
Is there a way one can force the default kerberos in Yosemite to
allow-weak-crypto? Or do I have to install for example the MIT or
Heimdal kerboeros separately as a workaround before our keys will be
upgraded to a different encryption type (may take rather long time)?
Thank you for your suggestions in advance.
Jan Pospisil, Ph.D. e-mail: email@example.com
University of West Bohemia phone: (+420) 37763-2675
Department of Mathematics fax: (+420) 37763-2602
Plzen, Czech Republic address: Univerzitni 22, 306 14