- jeromel's home page
- Posts
- 2020
- 2019
- 2018
- 2017
- 2016
- 2015
- December (1)
- November (1)
- October (2)
- September (1)
- July (2)
- June (1)
- March (3)
- February (1)
- January (1)
- 2014
- 2013
- 2012
- 2011
- 2010
- December (2)
- November (1)
- October (4)
- August (3)
- July (3)
- June (2)
- May (1)
- April (4)
- March (1)
- February (1)
- January (2)
- 2009
- December (3)
- October (1)
- September (1)
- July (1)
- June (1)
- April (1)
- March (4)
- February (6)
- January (1)
- 2008
- My blog
- Post new blog entry
- All blogs
Mac OSX working K5 config
Updated on Thu, 2014-11-13 06:27. Originally created by jeromel on 2014-11-12 16:25.
Under mac OSX 10.10, no luck, DES is disabled by force and aklog will NOT work at least, not until we finish the OpenAFS server upgrade and make sure only the AES keys are available.
Here is what I did set for Mac OSX 10.9 .
(1) Create a /etc/krb5.conf file with the below content
Under mac OSX 10.10, no luck, DES is disabled by force and aklog will NOT work at least, not until we finish the OpenAFS server upgrade and make sure only the AES keys are available.
Here is what I did set for Mac OSX 10.9 .
(1) Create a /etc/krb5.conf file with the below content
[libdefaults]
default_realm = RHIC.BNL.GOV
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 432000
renew_lifetime = 604800
forwardable = true
allow_weak_crypto = true
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
[realms]
RHIC.BNL.GOV = {
kdc = rkdc.rhic.bnl.gov
kdc = rkdc00.rhic.bnl.gov
kdc = rkdc01.rhic.bnl.gov
admin_server = rkdc00.rhic.bnl.gov
default_domain = rcf.bnl.gov
}
[domain_realm]
.rhic.bnl.gov = RHIC.BNL.GOV
rhic.bnl.gov = RHIC.BNL.GOV
.rcf.bnl.gov = RHIC.BNL.GOV
rcf.bnl.gov = RHIC.BNL.GOV
Make sure it is EXACTLY as noted above (with one user, I had an addiitonal blank line and al went to hell - that sensitive!).
(2) With the above config, kinit worked out of the box BUT not aklog. Here, I had two cases
2.a On some Mac OSX (I hoped most but for two out of three, this did not work), you need to move aside te file /var/db/openafs/etc/krb5-weak.conf by doing something like
2.b If not and for both kinit and aklog to work, you can force reading the configuration file by making sure you have the environment variable KRB5_CONFIG defined like
After all of this is done, klist -v should show something like below
As seen, the KDC ticket is AES while the AFS token is based on DES.
(2) With the above config, kinit worked out of the box BUT not aklog. Here, I had two cases
2.a On some Mac OSX (I hoped most but for two out of three, this did not work), you need to move aside te file /var/db/openafs/etc/krb5-weak.conf by doing something like
% mv /var/db/openafs/etc/krb5-weak.conf /var/db/openafs/etc/krb5-weak.conf.bakYou can try that first and if it works, we are good to go.
2.b If not and for both kinit and aklog to work, you can force reading the configuration file by making sure you have the environment variable KRB5_CONFIG defined like
KRB5_CONFIG=/etc/krb5.conf ; export KRB5_CONFIGor
setenv KRB5_CONFIG /etc/krb5.conf
After all of this is done, klist -v should show something like below
% klist -v
Credentials cache: API:F3F8BC0F-70A4-4EF7-BD5A-B94EE3CF7C9E
Principal: jeromel@RHIC.BNL.GOV
Cache version: 0
Server: krbtgt/RHIC.BNL.GOV@RHIC.BNL.GOV
Client: jeromel@RHIC.BNL.GOV
Ticket etype: aes256-cts-hmac-sha1-96, kvno 2
Ticket length: 347
Auth time: Nov 12 15:39:33 2014
End time: Nov 17 15:39:28 2014
Renew till: Nov 19 15:39:28 2014
Ticket flags: enc-pa-rep, pre-authent, initial, renewable, forwardable
Addresses: addressless
Server: afs@RHIC.BNL.GOV
Client: jeromel@RHIC.BNL.GOV
Ticket etype: des-cbc-crc, kvno 4
Session key: des-cbc-md4
Ticket length: 293
Auth time: Nov 12 15:39:33 2014
Start time: Nov 12 15:39:47 2014
End time: Nov 17 15:39:28 2014
Ticket flags: enc-pa-rep, transited-policy-checked, pre-authent, forwardable
Addresses: addressless
»
- jeromel's blog
- Login or register to post comments