Hye everybody,
First of all, thanks for your answers ;-)
After modifying just few lines of the migration kit, I finally got what
I wanted :
- a migration kit compiled with MIT Kerberos 1.6.3 release
- OpenAFS 1.4.10
- a working executable (compilation works, but everything else also !!)
Before giving you my few modifications, I need you little explanation :
- MIT Kerberos 1.6.3 / OpenAFS 1.4.10
- Migration kit sources obtained from
/afs/grand.central.org/software/afs-krb5/
- Operating system is Solaris 10 (also tested on Debian which is my
development platform)
- MIT Kerberos 1.6.3 is installed in /usr/local/krb5
- MIT Kerberos sources are in /root/krb_src/krb5-1.6.3
- OpenAFS 1.4.10 build (obtained with the "make test" target) is in
/root/openafs_src/openafs-1.4.10/sunx86_510
My patch is as simple as this ::
[patch_ccin2p3]
--- afs2k5db.c.orig Sat Jul 11 18:46:01 2009
+++ afs2k5db.c Mon Jul 13 11:20:40 2009
@@ -29,10 +29,10 @@
#endif
#include <errno.h>
+#include <k5-int.h>
#include <krb5.h>
#include <com_err.h>
-#include <k5-int.h>
#include <adm.h>
#include <adm_proto.h>
@@ -207,8 +207,7 @@
* This is way more complicated than it needs to be! Argh.
*/
- if ((retval = krb5_read_realm_params(convert_context, NULL,
- NULL, NULL, &rparams))) {
+ if ((retval = krb5_read_realm_params(convert_context, NULL,
&rparams))) {
com_err(argv[0], retval, "While reading realm parameters");
exit(1);
}
--- k5dbsubs.c.orig Mon Jul 13 11:53:44 2009
+++ k5dbsubs.c Sat Jul 11 18:58:46 2009
@@ -26,10 +26,11 @@
#endif
#include <errno.h>
+#include <k5-int.h>
#include <krb5.h>
#include <com_err.h>
-#include <k5-int.h>
+#include <kdb.h>
#include <afs/kauth.h>
@@ -48,6 +49,8 @@
* Output one record in the format used by the database dump file
*/
+krb5_key_data *key_data;
+
void
db_entry_output(FILE *f, krb5_context convert_context, char *user,
char *instance, char *realm, int kvno,
--- configure.orig Mon Mar 17 01:49:24 2003
+++ configure Mon Jul 13 12:07:03 2009
@@ -2327,9 +2327,9 @@
echo "$as_me:$LINENO: result: Setting KADM_LIBS to $krb5_libs_kadm" >&5
echo "${ECHO_T}Setting KADM_LIBS to $krb5_libs_kadm" >&6
CFLAGS="$CFLAGS $krb5_cflags"
-LIBS="$LIBS $krb5_libs"
+LIBS="$LIBS $krb5_libs -lkrb5support"
KADM_CFLAGS="$krb5_cflags_kadm"
-KADM_LIBS="$krb5_libs_kadm"
+KADM_LIBS="$krb5_libs_kadm -lkrb5support"
echo "$as_me:$LINENO: checking for socket" >&5
echo $ECHO_N "checking for socket... $ECHO_C" >&6
@@ -48,6 +49,8 @@
* Output one record in the format used by the database dump file
*/
+krb5_key_data *key_data;
+
void
db_entry_output(FILE *f, krb5_context convert_context, char *user,
char *instance, char *realm, int kvno,
--- configure.orig Mon Mar 17 01:49:24 2003
+++ configure Mon Jul 13 12:07:03 2009
@@ -2327,9 +2327,9 @@
echo "$as_me:$LINENO: result: Setting KADM_LIBS to $krb5_libs_kadm" >&5
echo "${ECHO_T}Setting KADM_LIBS to $krb5_libs_kadm" >&6
CFLAGS="$CFLAGS $krb5_cflags"
-LIBS="$LIBS $krb5_libs"
+LIBS="$LIBS $krb5_libs -lkrb5support"
KADM_CFLAGS="$krb5_cflags_kadm"
-KADM_LIBS="$krb5_libs_kadm"
+KADM_LIBS="$krb5_libs_kadm -lkrb5support"
echo "$as_me:$LINENO: checking for socket" >&5
echo $ECHO_N "checking for socket... $ECHO_C" >&6
Remark :
1. As you can see, "configure" script as been directly modified. This is
not very recommended, but my production machine doesn't have autoconf ...
2. On my Debian O.S adding flag for libkrb5support.so, and so modifying
configure script isn't needed, but Solaris complains about this so I had
to add it explicitly.
3. This "patch" if we can say it, hasn't been created to be "perfect"
and a final version, but just to make the whole thing working and for
me, it did the trick.
[ Compilation steps ]
cd ${PATH_TO_AFS-KRB5-MIGRATION-KIT}/src
export CFLAGS="-I/root/krb_src/krb5-1.6.3/src/include
-I/root/openafs_src/openafs-1.4.10/sunx86_510/dest/include"
./configure --with-krb5-config=/usr/local/krb5/bin/krb5-config
make
At this step, make will fail on asetkey binary, but whatever, asetkey in
now part of the OpenAFS source code, and our "afs2krb5" binary has been
build without any error.
I wanted to check that my binary was linked to any Kerberos 5 library
(it MUST be linked to any), for last time compilation succeeds but my
binary was bogus and not linked to any Krb5 library.
[ldd afs2k5db]
libkadm5srv.so.5 => /usr/local/krb5-1.6.3/lib/libkadm5srv.so.5
libkdb5.so.4 => /usr/local/krb5-1.6.3/lib/libkdb5.so.4
libgssrpc.so.4 => /usr/local/krb5-1.6.3/lib/libgssrpc.so.4
libgssapi_krb5.so.2 =>
/usr/local/krb5-1.6.3/lib/libgssapi_krb5.so.2
libkrb5.so.3 => /usr/local/krb5-1.6.3/lib/libkrb5.so.3
libk5crypto.so.3 => /usr/local/krb5-1.6.3/lib/libk5crypto.so.3
libcom_err.so.3 => /usr/local/krb5-1.6.3/lib/libcom_err.so.3
libresolv.so.2 => /lib/libresolv.so.2
libsocket.so.1 => /lib/libsocket.so.1
libnsl.so.1 => /lib/libnsl.so.1
libkrb5support.so.0 =>
/usr/local/krb5-1.6.3/lib/libkrb5support.so.0
libc.so.1 => /lib/libc.so.1
libmp.so.2 => /lib/libmp.so.2
libmd.so.1 => /lib/libmd.so.1
libscf.so.1 => /lib/libscf.so.1
libdoor.so.1 => /lib/libdoor.so.1
libuutil.so.1 => /lib/libuutil.so.1
libgen.so.1 => /lib/libgen.so.1
libm.so.2 => /lib/libm.so.2
Ok, everything seems good.
It seems ok to me, now I hope that it could help anybody who encounter
trouble with his AFS/Kerberos 5 migration ;-)
Thanks again for those who took some time to answer me
Cheers
Remi Ferrand | Institut National de Physique Nucleaire
Tel. +33(0)4.78.93.08.80 | et de Physique des Particules
Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/
[email protected] a écrit :
Try building afs2k5db like below. If that works for ya, then
mention it to the list. If that doesn't work for ya, then try
following these directions exactly:
http://cf.ccmr.cornell.edu/publicdownloads/afs/ReadMe-to_krb5.html
steve
--
** notes from building afs2k5db on SL/RHEL44 **
## install openafs (1.4.7) headers...
sudo yum install openafs-devel
## build krb5 in /usr/local/src/krb5-1.3.6
untar
./configure --without-tcl
make
cp ./util/et/com_err.h include # cruft, not necessary?
cp ./include/krb5/stock/osconf.h include # cruft, not necessary?
## make afs2k5db in /usr/local/src/afs-krb5
untar
./configure --with-krb5-src=/usr/local/src/krb5-1.3.6/src \
--with-krb5-config=/usr/local/src/krb5-1.3.6/src/krb5-config \
CFLAGS="-m32 -L/usr/local/src/krb5-1.3.6/src/lib" \
LDFLAGS="-m32 -L/usr/local/src/krb5-1.3.6/src/lib"
cd /usr/local/src/krb5-1.3.6/src/include
vi k5-int.h
#if 0 #endif around struct _krb5_rc_ops { }
make afs2k5db
sudo cp afs2k5db /usr/sbin/afs2k5db
(use aklog and asetkey from modern openafs build)
> ---- Original Message ----
> From: Remi Ferrand <[email protected]>
> Hye
>
> I'm trying to convert a kaserver.DB into Kerberos DB with afs2k5db
> utility.
> We're ruuning Kerberos 1.6.3 o our KDC, but for afs2k5db seems only
> compatible with 1.2.x series I've used 1.2.7 from MIT Website (so this
> is MIT Kerberos :)
>
> I had afs-krb5.tar package from Grand Central AFS cell
> (/afs/grand.central.org/software/afs-krb5/) and I've compiled it accross
> MIT kerberos 1.2.7 and OpenAFS 1.4.10.
>
> After modifying manually the Makefile compilation succeed for afs2k5db
> (the unique tool i'm interested in from afs-krb5 archive) ( See
> attachement for my modified Makefile )
>
> First surprise, afs2k5db is not linked with any of my kerberos 5
> library ::
> ldd afs2k5db
> libresolv.so.2 => /lib/libresolv.so.2
> libsocket.so.1 => /lib/libsocket.so.1
> libnsl.so.1 => /lib/libnsl.so.1
> libc.so.1 => /lib/libc.so.1
> libmp.so.2 => /lib/libmp.so.2
> libmd.so.1 => /lib/libmd.so.1
> libscf.so.1 => /lib/libscf.so.1
> libdoor.so.1 => /lib/libdoor.so.1
> libuutil.so.1 => /lib/libuutil.so.1
> libgen.so.1 => /lib/libgen.so.1
> libm.so.2 => /lib/libm.so.2
>
> So, maybe Kerberos5 code is statically linked into my binary (but i"m
> doubtfull, no -static is present in Makefile)
>
> I could use afs2k5db to dump my kaserver.DB0 ::
> afs2k5db /PATH/TO/kaserver.DB0 > kaserver.out
>
> I've deleted AuthServer/Admin, afs key, and ktgt lines manually.
>
> I could import it successfully into my Kerberos 5 db with ::
> kdb5_util load -update -verbose kaserver.out
> [account listing]
>
> I could do a getprinc on any of my old AFS credentials ::
> kadmin.local -q "getprinc rferrand"
> Authenticating as principal root/[email protected] with password.
> Principal: [email protected]
> Expiration date: Thu Dec 31 01:00:00 MET 2037
> Last password change: [never]
> Password expiration date: [none]
> Maximum ticket life: -24670 days -1:-8:-16
> Maximum renewable life: 7 days 00:00:00
> Last modified: Fri Jul 10 10:25:23 MEST 2009 ([email protected])
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 1
> Key: vno 0, DES cbc mode with CRC-32, AFS version 3
> Attributes:
> Policy: [none]
>
> ( Max ticket life time is bogus, but not the problem here )
>
> But I can't use my accounts for passwords seem badly importated from
> kasDB ::
>
> kinit rferrand
> Password for [email protected]:
> kinit(v5): Password incorrect while getting initial credentials
>
> A capture with wireshark doesn't show any error (before I had
> DECRYPT_INTEGRITY error, but not now anymore), krbtgt/CELL_NAME is sent
> to my client, but nothing appear with a "klist"
>
> My KDCs logs don't show anything unusual ::
> Jul 10 13:59:17 cckrb01.in2p3.fr krb5kdc[17374](info): AS_REQ (7 etypes
> {18 17 16 23 1 3 2}) 134.158.71.107(88): ISSUE: authtime 1247227157,
> etypes {rep=1 tkt=16 ses=16}, [email protected] for
> krbtgt/[email protected]
>
> My krbtgt/TEST.IN2P3.FR principal is as this ::
> r...@cckrb01:/usr/local/krb5/var/krb5$ kadmin.local -q "getprinc
> krbtgt/TEST.IN2P3.FR"
> Authenticating as principal root/[email protected] with password.
> Principal: krbtgt/[email protected]
> [...]
> Number of keys: 2
> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
> Key: vno 1, DES cbc mode with CRC-32, no salt
> Attributes:
> Policy: [none]
>
> And my Master Key for Kerberos V DB is ::
> r...@cckrb01:/usr/local/krb5/var/krb5$ kadmin.local -q "getprinc
> K/[email protected]"
> Authenticating as principal root/[email protected] with password.
> Principal: K/[email protected]
> [...]
> Failed password attempts: 0
> Number of keys: 1
> Key: vno 1, DES cbc mode with CRC-32, no salt
> Attributes: DISALLOW_ALL_TIX
> Policy: [none]
>
> Simple DES is used...
>
> My kdc.conf file ::
> r...@cckrb01:/usr/local/krb5/var/krb5$ cat /etc/krb5/kdc.conf
> [kdcdefaults]
> kdc_ports = 750,88
> v4_mode = disable
>
> [realms]
> TEST.IN2P3.FR = {
> master_key_type = des-cbc-crc
> supported_enctypes = aes256-cts:normal
> des3-cbc-sha1:normal des3-hmac-sha1:normal des-cbc-crc:v4
> des-cbc-crc:afs3 des-cbc-crc:normal
>
> database_name = /usr/local/krb5/var/krb5kdc/principal
> admin_keytab =
> FILE:/usr/local/krb5/var/krb5kdc/kadm5.keytab
> acl_file = /etc/krb5/kadm5.acl
> key_stash_file
> = /usr/local/krb5/var/krb5kdc/.k5.TEST.IN2P3.FR
> kdc_ports = 750,88
> max_life = 10h 0m 0s
> max_renewable_life = 7d 0h 0m 0s
> }
>
> Everything is working, but the migration of users from kasDB to Krb5DB.
>
> If anybody has any idea ...
>
> Thanks
> Rémi
>
>
> --
> Remi Ferrand | Institut National de Physique Nucleaire
> Tel. +33(0)4.78.93.08.80 | et de Physique des Particules
> Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/
>
> [...]
>
>
> _______________________________________________
> OpenAFS-info mailing list
> [email protected]
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
