Hye
I'm trying to convert a kaserver.DB into Kerberos DB with afs2k5db
utility.
We're ruuning Kerberos 1.6.3 o our KDC, but for afs2k5db seems only
compatible with 1.2.x series I've used 1.2.7 from MIT Website (so this
is MIT Kerberos :)
I had afs-krb5.tar package from Grand Central AFS cell
(/afs/grand.central.org/software/afs-krb5/) and I've compiled it accross
MIT kerberos 1.2.7 and OpenAFS 1.4.10.
After modifying manually the Makefile compilation succeed for afs2k5db
(the unique tool i'm interested in from afs-krb5 archive) ( See
attachement for my modified Makefile )
First surprise, afs2k5db is not linked with any of my kerberos 5
library ::
ldd afs2k5db
libresolv.so.2 => /lib/libresolv.so.2
libsocket.so.1 => /lib/libsocket.so.1
libnsl.so.1 => /lib/libnsl.so.1
libc.so.1 => /lib/libc.so.1
libmp.so.2 => /lib/libmp.so.2
libmd.so.1 => /lib/libmd.so.1
libscf.so.1 => /lib/libscf.so.1
libdoor.so.1 => /lib/libdoor.so.1
libuutil.so.1 => /lib/libuutil.so.1
libgen.so.1 => /lib/libgen.so.1
libm.so.2 => /lib/libm.so.2
So, maybe Kerberos5 code is statically linked into my binary (but i"m
doubtfull, no -static is present in Makefile)
I could use afs2k5db to dump my kaserver.DB0 ::
afs2k5db /PATH/TO/kaserver.DB0 > kaserver.out
I've deleted AuthServer/Admin, afs key, and ktgt lines manually.
I could import it successfully into my Kerberos 5 db with ::
kdb5_util load -update -verbose kaserver.out
[account listing]
I could do a getprinc on any of my old AFS credentials ::
kadmin.local -q "getprinc rferrand"
Authenticating as principal root/[email protected] with password.
Principal: [email protected]
Expiration date: Thu Dec 31 01:00:00 MET 2037
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: -24670 days -1:-8:-16
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Jul 10 10:25:23 MEST 2009 ([email protected])
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 0, DES cbc mode with CRC-32, AFS version 3
Attributes:
Policy: [none]
( Max ticket life time is bogus, but not the problem here )
But I can't use my accounts for passwords seem badly importated from
kasDB ::
kinit rferrand
Password for [email protected]:
kinit(v5): Password incorrect while getting initial credentials
A capture with wireshark doesn't show any error (before I had
DECRYPT_INTEGRITY error, but not now anymore), krbtgt/CELL_NAME is sent
to my client, but nothing appear with a "klist"
My KDCs logs don't show anything unusual ::
Jul 10 13:59:17 cckrb01.in2p3.fr krb5kdc[17374](info): AS_REQ (7 etypes
{18 17 16 23 1 3 2}) 134.158.71.107(88): ISSUE: authtime 1247227157,
etypes {rep=1 tkt=16 ses=16}, [email protected] for
krbtgt/[email protected]
My krbtgt/TEST.IN2P3.FR principal is as this ::
r...@cckrb01:/usr/local/krb5/var/krb5$ kadmin.local -q "getprinc
krbtgt/TEST.IN2P3.FR"
Authenticating as principal root/[email protected] with password.
Principal: krbtgt/[email protected]
[...]
Number of keys: 2
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]
And my Master Key for Kerberos V DB is ::
r...@cckrb01:/usr/local/krb5/var/krb5$ kadmin.local -q "getprinc
K/[email protected]"
Authenticating as principal root/[email protected] with password.
Principal: K/[email protected]
[...]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes: DISALLOW_ALL_TIX
Policy: [none]
Simple DES is used...
My kdc.conf file ::
r...@cckrb01:/usr/local/krb5/var/krb5$ cat /etc/krb5/kdc.conf
[kdcdefaults]
kdc_ports = 750,88
v4_mode = disable
[realms]
TEST.IN2P3.FR = {
master_key_type = des-cbc-crc
supported_enctypes = aes256-cts:normal
des3-cbc-sha1:normal des3-hmac-sha1:normal des-cbc-crc:v4
des-cbc-crc:afs3 des-cbc-crc:normal
database_name = /usr/local/krb5/var/krb5kdc/principal
admin_keytab =
FILE:/usr/local/krb5/var/krb5kdc/kadm5.keytab
acl_file = /etc/krb5/kadm5.acl
key_stash_file
= /usr/local/krb5/var/krb5kdc/.k5.TEST.IN2P3.FR
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
Everything is working, but the migration of users from kasDB to Krb5DB.
If anybody has any idea ...
Thanks
RĂ©mi
--
Remi Ferrand | Institut National de Physique Nucleaire
Tel. +33(0)4.78.93.08.80 | et de Physique des Particules
Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/
###################################################################################
###################################################################################
###################################################################################
###################################################################################
[afs2k5db Makefile]
#
# $Id: Makefile.in,v 1.12 2003/03/17 01:13:34 kenh Exp $
#
# This is the Makefile for the AFS-Kerberos 5 Migration Kit. See the
# directions below for the meaning of each flag.
#
#
# Support obj directories
#
srcdir = .
# Your C compiler. Salt to taste
CC=cc
# Optimizer, debug flags
OPT=-g -I/usr/local/krb5-1.2.7/include
# Defines to add to the command line
DEFS=-DPACKAGE_NAME=\"afs-krb5\" -DPACKAGE_TARNAME=\"afs-krb5\"
-DPACKAGE_VERSION=\"1.4\" -DPACKAGE_STRING=\"afs-krb5\ 1.4\"
-DPACKAGE_BUGREPORT=\"[email protected]\" -DAFS=1 -DAFS_INT32=1
-DAFS_TRY_FULL_PRINC=1 -DHAVE_DAEMON=1 -DSTDC_HEADERS=1
-DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1
-DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1
-DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1
-DHAVE_UNISTD_H=1 -DHAVE_STDLIB_H=1 -DHAVE_MEMORY_H=1 -DHAVE_MALLOC_H=1
-DHAVE_STRERROR=1 -DRETSIGTYPE=void -DALLOW_REGISTER
# Include files
INCLUDE= -I/root/krb_src/krb5-1.2.7/src/include
-I/usr/local/openafs/include
-I/root/krb_src/krb5-1.2.7/src/include/krb5/stock
-I/root/krb_src/krb5-1.2.7/src/include/krb5
-I/root/krb_src/krb5-1.2.7/src/mac/libraries
# root/krb_src/krb5-1.2.7/src/mac/libraries => autoconf.h
# /root/krb_src/krb5-1.2.7/src/include/krb5 => kdb.h
# /root/krb_src/krb5-1.2.7/src/include/krb5/stock => osconf.h
# /usr/local/openafs/include => OpenAFS headers (/usr/local/openafs <=>
build directory)
# /root/krb_src/krb5-1.2.7/src/include => Kerberos 5 headers from source
directory
# "Extra" include files
EXTRA_INC= -I/root/krb_src/krb5-1.2.7/include
-I/root/krb_src/krb5-1.2.7/include/krb5 -I/usr/local/krb5/include
-I/usr/local/krb5/include/krb5
# Extra library objects (for fakeka)
LIBOBJS=
# Extra objects for aklog
AKLOG_EXTRA_OBJ=adderrtable.o
# Library files
#LIBS= -L/usr/local/krb5-1.2.7/lib -R/usr/local/krb5-1.2.7/lib -lkrb5
-lk5crypto -lcom_err -lresolv -lsocket -lnsl
LIBS=-L/usr/local/krb5-1.2.7/lib -R/usr/local/krb5-1.2.7/lib -lkadm5srv
-lkdb5 -ldb -lgssrpc -ldyn -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err
-lgen
# AFS libraries
AFSLIBS=-L/usr/local/openafs/lib -L/usr/local/openafs/lib/afs -lsys
-lprot -lubik -lauth -lrxkad -lrx -llwp -ldes
-lsys /usr/local/openafs/lib/afs/util.a
# Network libraries
NETLIBS=
# Location of the 5-2-4 library
KRB524LIB=-lkrb524
# CFLAGS to use for KDB/Kadm5 applications
KDB_CFLAGS=-I/usr/local/krb5-1.2.7/include
# Libraries to use when linking in a KDB/Kadm5 application
KDB_LIBS=-L/usr/local/krb5-1.2.7/lib -R/usr/local/krb5-1.2.7/lib
-lkadm5srv -lkdb5 -lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err
-lresolv -lsocket -lnsl
# Extra libraries for fakeka
FAKEKA_LIBS=-ldes425
# Install program and target installation directories
INSTALL=./install-sh -c
prefix=/usr/local/krb5
INSTALL_BIN=$(prefix)/bin
INSTALL_SBIN=$(prefix)/sbin
PROGS=afs2k5db keyfile_dump
CFLAGS=$(OPT) $(INCLUDE) $(DEFS)
AKLOG_OBJS=aklog.o aklog_main.o aklog_param.o krb_util.o linked_list.o
$(AKLOG_EXTRA_OBJ)
all: $(PROGS)
clean:
rm -f $(PROGS) afs2k5db.o asetkey.o $(AKLOG_OBJS) fakeka.o
ka-forwarder.o keyfile_dump.o k5dbsubs.o $(LIBOBJS)
distclean: clean
rm -f config.cache config.log config.status Makefile
afs2k5db: afs2k5db.o k5dbsubs.o
$(CC) -o $@ afs2k5db.o k5dbsubs.o $(KDB_LIBS)
afs2k5db.o: afs2k5db.c
$(CC) -c $(CFLAGS) $(EXTRA_INC) $<
[...]
install: $(PROGS)
$(INSTALL) -s aklog $(DESTDIR)$(INSTALL_BIN)
$(INSTALL) -s afs2k5db asetkey fakeka ka-forwarder
$(DESTDIR)$(INSTALL_SBIN)
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
