The original poster's text has been modified to replace "Kerberos 4" with "kaserver". "kaserver" is not the same as MIT Kerberos 4 and it is very important to distinguish between the two.
On 5/15/2018 4:52 AM, huangql wrote: > Hi all, > > > We are working on the upgrading of Openafs kaserver to KDC 5. We > checked some documents to know we have to use afs2k5db tool to convert > users in kaserver to KDC 5. But it's really a pain to compile it with > Openafs-1.4.14-1 and krb5-server-1.10.3-65.el6.x86-64 due to the > incompatibility of the higher version of krb5 and AFS. > > I tried to modify the afs2k5db source code to eliminate the compile > error to generate the tool afs2k5db. However, we failed to convert > users with the following error. > > [root@afs01 src]# ./afs2k5db /usr/afs/db/kaserver.DB0 > anafsuser.out > Read of KA database header failed: only got 37888 of 65632 bytes > > Could you help to figure out the issue? And is there other quick way to > migrate the users in kaserver to KAS The afs-krb5 source code worked by compiling against private functions within both OpenAFS 1.2.x and MIT Kerberos 1.2.x. The kaserver database format has not changed since that time and although the MIT Kerberos 1.2.x database format has changed it is still possible to dump the MIT Kerberos database from 1.2.x and import it into current data MIT. Current versions of Kerberos have removed all support for Kerberos v4 and have significantly reduced if not removed entirely support for the DES encryption types. It will be easier to build a working version of afs2k5db by building the tool against OpenAFS 1.2 and MIT Kerberos 1.2. Building each of those might require using an old 32-bit version of Linux and the gcc toolchain. Current versions of gcc and clang are unlikely to compile old source code trees and there is the possibility that there are 64-bit compatibility issues with those old releases as well. Good luck. Jeffrey Altman
<<attachment: jaltman.vcf>>
smime.p7s
Description: S/MIME Cryptographic Signature
