Bug 454280

Summary: cannot get AFS service principal into keytab
Product: [Retired] freeIPA Reporter: Matt Bernstein <mb--redhat>
Component: ipa-clientAssignee: Simo Sorce <ssorce>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: low    
Version: 1.0CC: benl, jgalipea, nalin, rcritten
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: freeipa-2.0.0-1.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 453489    

Description Matt Bernstein 2008-07-07 13:54:00 UTC 
Description of problem: I can't extract an afs3-salted service principal so that
"asetkey" works.

Version-Release number of selected component: ipa-client-1.1.0-2.fc9.x86_64

How reproducible: always

Steps to Reproduce:
1. ipa-addservice afs
2. ipa-getkeytab -s kdc -p afs -e des-cbc-crc:afs3 -k /etc/krb5.keytab.afs
  
Actual results:

Warning unrecognized encryption type: [des-cbc-crc:afs3]

Expected results:

No warnings, then asetkey works.

Additional info: using kadmin.local as described in
<http://www.dementia.org/twiki/bin/view/AFSLore/FedoraAFSInstall> appears to
work (at least asetkey now works), but the service ticket is placed under
cn=kerberos instead of cn=services,cn=accounts (apparently this is Bad!).

I am no expert in Kerberos or OpenAFS, so it's possible I'm trying to do
something slightly stupid.
Comment 1 Simo Sorce 2008-07-14 21:30:09 UTC 
Matt I remember we discussed this problem before you submitted a bug.

Can you please try with just -e des-cbc-crc ?

What errors do you get if you use this form ?
It would be nice to have krb5kdc.log if openAFS fails to obtain a tgt using a
keytab generated this way.
Comment 2 Jenny Severance 2008-11-26 16:56:05 UTC 
Need to know if there was actually a fix for this -or should be resolved with a different status than MODIFIED?  Thanks
Comment 3 Chandrasekar Kannan 2008-11-26 20:02:50 UTC 
jenny - its probably one of those bugs where we wanted to see if we can reproduce the original problem. 

If we can, then re-open the bug.
else, mark it as closed/worksforme
Comment 4 Jenny Severance 2008-11-30 13:38:24 UTC 
Fix Verified:

from install log:

2008-11-26 02:44:23,729 DEBUG   [6/13]: adding default keytypes
2008-11-26 02:44:23,777 INFO add krbSupportedEncSaltTypes:
        aes256-cts:normal
        aes128-cts:normal
        des3-hmac-sha1:normal
        arcfour-hmac:normal
        des-hmac-sha1:normal
        des-cbc-md5:normal
        des-cbc-crc:normal
        des-cbc-crc:v4
        des-cbc-crc:afs3
modifying entry "cn=BOS.REDHAT.COM,cn=kerberos,dc=bos,dc=redhat,dc=com"
modify complete