On 5/15/2018 11:24 AM, huangql wrote: > Hi Jeffrey, > > > Thanks for your prompt and constructive reply. > > > If the afs2k5db tool was compiled against OpenAFS 1.2 and MIT Kerberos > 1.2, does it work for Openafs-1.4.14-1 version under 64bit ?
As I indicated, the kaserver database file format has not changed. Therefore, it should not matter. > Or is there other method to migrate the users to kdc 5? Well, IHEP could just bring up a new Kerberos v5 realm and create all necessary client and server principals from scratch. At this point that might not be such a bad idea. The kaserver (being Kerberos v4 based) only supports DES-CBC-CRC 56-bit keys. Those keys can be brute forced in under 20 hours. The krbtgt and afs keys are particularly vulnerable. Theft of them permits any identity to be forged. Copying these keys into the new Kerberos v5 realm is pointless as they must be replaced immediately. The client configurations will have to be updated in any case to deploy Kerberos v5 libraries and configuration files. My recommendation is to start from scratch with Kerberos v5 and configure the AFS cell to accept both kaserver and Kerberos v5 for authentication. See the OpenAFS krb.conf man page. Again, good luck. Jeffrey Altman
<<attachment: jaltman.vcf>>
smime.p7s
Description: S/MIME Cryptographic Signature
