Hi Jeffrey,
Thanks for your prompt and constructive reply. If the afs2k5db tool was compiledagainst OpenAFS 1.2 and MIT Kerberos 1.2, does it work forOpenafs-1.4.14-1 versionunder 64bit ? Or is there other method to migrate the users to kdc 5? Let me thank you again. Best Regards, Qiulan 原始邮件 发件人:Jeffrey [email protected] 收件人:[email protected]; [email protected] 发送时间:2018年5月15日(周二) 21:00 主题:[SPAM] Re: [OpenAFS] About the upgrading from kaserver toKerberos 5 The original poster's text has been modified to replace "Kerberos 4" with "kaserver". "kaserver" is not the same as MIT Kerberos 4 and it is very important to distinguish between the two. On 5/15/2018 4:52 AM, huangql wrote: Hi all, We are working on the upgrading of Openafs kaserver to KDC 5. We checked some documents to know we have to use afs2k5db tool to convert users in kaserver to KDC 5. But it's really a pain to compile it with Openafs-1.4.14-1 andkrb5-server-1.10.3-65.el6.x86-64 due to the incompatibility of the higher version of krb5 and AFS. I tried to modify the afs2k5db source code to eliminate the compile error to generate the tool afs2k5db. However, we failed to convert users with the following error. [root@afs01src]#./afs2k5db/usr/afs/db/kaserver.DB0anafsuser.out ReadofKAdatabaseheaderfailed:onlygot37888of65632bytes Could you help to figure out the issue? And is there other quick way to migrate the users in kaserver to KAS The afs-krb5 source code worked by compiling against private functions within both OpenAFS 1.2.x and MIT Kerberos 1.2.x. The kaserver database format has not changed since that time and although the MIT Kerberos 1.2.x database format has changed it is still possible to dump the MIT Kerberos database from 1.2.x and import it into current data MIT. Current versions of Kerberos have removed all support for Kerberos v4 and have significantly reduced if not removed entirely support for the DES encryption types. It will be easier to build a working version of afs2k5db by building the tool against OpenAFS 1.2 and MIT Kerberos 1.2. Building each of those might require using an old 32-bit version of Linux and the gcc toolchain. Current versions of gcc and clang are unlikely to compile old source code trees and there is the possibility that there are 64-bit compatibility issues with those old releases as well. Good luck. Jeffrey Altman
