Re: [OpenAFS] Migration from kaserver to krb5.

[O Plameras]

Christopher Allen Wing wrote:
Hello,

On Tue, 11 Apr 2006, O Plameras wrote:

I have running servers with OpenAFS-1.4.1 on FC5 using kaserver.

I have used clients running OpenAFS on FC4/Win2000 and
OpenAFS-1.4.1rc10 on FC5.

This setup is working without any problem so far.

Do you have any actual users in your AFS cell yet?  Or did you just 
set it up with kaserver for testing purposes?

If you don't yet have any user accounts / passwords, it's probably 
easiest not to bother with the kaserver conversion, but instead, just 
create new principals in the k5 database and reset the afs key.

I have only half-dozen users.  Yes, I created new principals in the k5 
DB and reset afs key.


I want to convert from kaserver to krb5.

I installed and tested krb5-1.4.3 KDC. This works.

Then I did these.
[EMAIL PROTECTED] admin/admin
[EMAIL PROTECTED] example.com.ex -k EXAMPLE.COM.EX
[EMAIL PROTECTED]
Tokens held by the Cache Manager:

User's (AFS ID 1) tokens for [EMAIL PROTECTED] [Expires Apr 11 22:04]
  --End of list--

Did you create a new 'afs' principal in the K5 database?

Yes, I did. This is how I did it.

#kadmin.local  -e des-cbc-crc:v4  <<EOF
addprinc -randkey afs/example.com.ex
ktadd -k KeyFile afs/example.com.ex
quit
EOF

#set `klist -k KeyFile | tail -1`
#asetkey add $1 KeyFile afs/example.com.ex

After this, I can do this because I have user
admin in k5.

#kinit admin
#aklog

The problem is after this I can't

#vos listvol toshiba.example.com.ex

In the AFS_K5_NAME_CHANGE it says to the effect that
I have to run afs2k5db and that's where I have compile errors
in attempting to compile using FC5 source rpm. The specific
errors amongst others say, files are missing, like:

k5-int.h
adm.h

I search the source codes of openafs-1.4.1rc10 but are not found
there. I noticed they are in openafs-1.3.8.


It is my understanding that I need to run afs2k5db on kaserver.DBO
and use the output to update krb5 keys.

You only need to do this if you have users and passwords which you 
care about preserving.  Otherwise, it's probably simpler to recreate 
the principals in the K5 database, and create a new 
'afs/[EMAIL PROTECTED]' key.

OK, I got this. I am able to create principals in K5 to aklog 
successfully. The problem after this
is I can't do AFS maintenance commands like #vos listvol <server>, etc.

I have about 500Gbytes and for this reason I can't reset my DB.

My problem is I can't compile afs2k5db.

You need to have the source code tree to the version of Kerberos which 
you are running.  This can be a pain.

Yes, I have the source code tree and attempted to recompile. As I 
mentioned earlier the error is due to missing
files, like k5-int.h, adm.h.


Did you compile krb5 yourself, or are you using the stuff from FC5?  
If the former is the case, no problem.  If the latter is the case, you 
will need to download the FC5 source RPM for kerberos, and do 
something like:

    create a temporary RPM root to build RPMs

    rpm -ivh krb5-1.4.x.src.rpm

    cd <rpmroot>/SPECS

    rpmbuild -ba krb5.spec

Yep, I've done this.



Then you will have an expanded source tree in <rpmroot>/BUILD which 
you can use to compile the afs-krb5 stuff.  Note that you have to 
actually perform the build in the krb5 directory, because some of the 
files used by afs-krb5 require an actually built krb5.  (you can't 
just download the Kerberos source code and untar it)


Then download the afs-krb5 tar file.  It won't build properly against 
recent OpenAFS and Kerberos so you will need some patches.  I have not 
yet built afs-krb5 against krb5-1.4.x, so I don't know what changes 
are necessary.

However, here are the patches that I used to build afs-krb5 against 
krb5-1.3.x and openafs-1.4.x:

    http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.4.1-rc2/SOURCES/ 

        afs-krb5-2.0-umich.patch
        afs-krb5-2.0-kfdump.patch
        afs-krb5-2.0-krb524.patch
        afs-krb5-2.0-k5private.patch
        afs-krb5-2.0-libsocket.patch
        afs-krb5-2.0-warnings.patch
        afs-krb5-2.0-betterka2dump.patch
        afs-krb5-2.0-res_search.patch
        afs-krb5-2.0-com_err.patch
        afs-krb5-2.0-openafs1.3.patch
        afs-krb5-2.0-noaklog.patch

I did not have these files. Thanks, for pointing to these files. I'll 
incorporate these
and see what's going to be the outcome.


Download the patches and apply them in that order to the afs-krb5 
source code.

You need to have the header files and libraries that come with OpenAFS 
for development purposes.  (probably in the openafs-devel RPM)

You then need to build it as follows:

    cd <afs-krb5 source code tree>

    autoreconf

    ./configure -prefix=/usr --with-krb5=/usr/kerberos \
        --with-afs=/usr --with-umich

OK, I'll do.


# where <rpmroot> is the RPM root where you built the krb5 stuff
# (make sure that <rpmroot>/BUILD/krb5-1.4.x/include is actually the # 
correct path to the include files, etc.)

    make EXTRA_INC="-I<rpmroot>/BUILD/krb5-1.4.x/include 
-I/usr/include/et"



I'll do.

That probably assumes that you are using a 32-bit OS, because it will 
look for the AFS libraries in /usr/lib not /usr/lib64.  If you are 
using a 64-bit OS, you will need to do something different with 
--with-afs.


I have a 32-bit.

I use something similar to the above to build it on RHEL4, however I 
always build afs-krb5 along with the rest of OpenAFS, so I have access 
to the OpenAFS source code tree.

If you build OpenAFS yourself (from RPM), then you can do:


    ./configure -prefix=/usr --with-krb5=/usr/kerberos \
        --with-afs=<afsrpmroot>/BUILD/xxx/<sysname>/dest --with-umich

where <afsrpmroot> is the RPM root where you built OpenAFS, and the 
files are built into BUILD/openafs-x.x.x/xxx/sysname/dest

where sysname is probably i386_linux26 or amd64_linux26, etc.




As you can see it is somewhat complicated.

I'll take this as a learning experience.


If you want to go ahead and use afs-krb5, you may also find this 
script useful:

    http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.4.1-rc2/SOURCES/kas-kdb-merge.pl 


Yes, I'll go ahead and certainly, I'll use this.


The afs2k5db program generates a krb5 dump record which is missing 
'last modified by' data.  This is because getting the information 
requires more knowledge of the kaserver database than afs2k5db 
implements.

If you use that script, it will take the output of 'kas list -long' 
and add back in the 'last modified by' data into the dump record.  
This is mainly interesting if you have been running kaserver for a 
long time and would like to preserve as much metadata as possible when 
you convert to pure krb5.



Thanks for this info. Any little hints is always useful.


But overall, if you don't have any actual production users in your 
cell, or if you only have a few people and it wouldn't be a big deal 
to just change their passwords, I would recommend skipping the 
afs2k5db entirely and just regenerating the afs key from scratch.



Thanks again.


O Plameras
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info