Bug 454280 - cannot get AFS service principal into keytab
cannot get AFS service principal into keytab
Product: freeIPA
Classification: Community
Component: ipa-client (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Simo Sorce
Chandrasekar Kannan
Depends On:
Blocks: 453489
  Show dependency treegraph
Reported: 2008-07-07 09:54 EDT by Matt Bernstein
Modified: 2015-01-04 18:33 EST (History)
4 users (show)

See Also:
Fixed In Version: freeipa-2.0.0-1.fc15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Matt Bernstein 2008-07-07 09:54:00 EDT
Description of problem: I can't extract an afs3-salted service principal so that
"asetkey" works.

Version-Release number of selected component: ipa-client-1.1.0-2.fc9.x86_64

How reproducible: always

Steps to Reproduce:
1. ipa-addservice afs
2. ipa-getkeytab -s kdc -p afs -e des-cbc-crc:afs3 -k /etc/krb5.keytab.afs
Actual results:

Warning unrecognized encryption type: [des-cbc-crc:afs3]

Expected results:

No warnings, then asetkey works.

Additional info: using kadmin.local as described in
<http://www.dementia.org/twiki/bin/view/AFSLore/FedoraAFSInstall> appears to
work (at least asetkey now works), but the service ticket is placed under
cn=kerberos instead of cn=services,cn=accounts (apparently this is Bad!).

I am no expert in Kerberos or OpenAFS, so it's possible I'm trying to do
something slightly stupid.
Comment 1 Simo Sorce 2008-07-14 17:30:09 EDT
Matt I remember we discussed this problem before you submitted a bug.

Can you please try with just -e des-cbc-crc ?

What errors do you get if you use this form ?
It would be nice to have krb5kdc.log if openAFS fails to obtain a tgt using a
keytab generated this way.

Comment 2 Jenny Galipeau 2008-11-26 11:56:05 EST
Need to know if there was actually a fix for this -or should be resolved with a different status than MODIFIED?  Thanks
Comment 3 Chandrasekar Kannan 2008-11-26 15:02:50 EST
jenny - its probably one of those bugs where we wanted to see if we can reproduce the original problem. 

If we can, then re-open the bug.
else, mark it as closed/worksforme
Comment 4 Jenny Galipeau 2008-11-30 08:38:24 EST
Fix Verified:

from install log:

2008-11-26 02:44:23,729 DEBUG   [6/13]: adding default keytypes
2008-11-26 02:44:23,777 INFO add krbSupportedEncSaltTypes:
modifying entry "cn=BOS.REDHAT.COM,cn=kerberos,dc=bos,dc=redhat,dc=com"
modify complete

Note You need to log in before you can comment on or make changes to this bug.