[OpenAFS] Heimdal and OpenAFS...
Eric Knudstrup
eric@knudstrup.org
Fri, 11 May 2001 00:24:12 -0700
I followed some of the directions in a post by Derrick from early April
about using Heimdal, and I just built and tried to install it:
[OpenAFS] openafs and kerberos5
Derrick J Brashear shadow@dementia.org
Mon, 9 Apr 2001 12:13:11 -0400 (EDT)
Previous message: [OpenAFS] openafs and kerberos5
Next message: [OpenAFS] openafs and kerberos5
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
----------------------------------------------------------------------------
----
On Mon, 9 Apr 2001, Forrest D. Whitcher wrote:
> David,
>
> I've been wrestling with this for several weeks, and have gotten
> a good bit of help from Ken Hornstein who put together the most
> recent (to my knowlege) set of migration tools for this.
I suppose I'm an anomaly since I have a strong background in both AFS and
Kerberos (both v4 and v5). I set it up, switched off my kaserver, and it
"just worked".
> Results so far are that I was able to get an appearantly successful
> build of the essential tools (asetkey and aklog). However I've as
> yet been unable to make it work in-practice.
>
> (!!!! btw HELP! :- ... the latest I've been able to figure out is
> that when I obtain an afs ticket from the k5 KDC (requires krb524d
> be running to translate tickets).. the AFS key that is granted is
> listed in the K5 tickets !!!??? might explain why afs is complaining
> when I try to use the ticket????)
Your punctuation keys seem to be sticking. aklog (if you use Ken's v5
aklog) takes the ticket from the v5 cred cache, makes a token, and sticks
it in the kernel.
Anyhow, if you're converting an existing cell, and setting up krb5 for the
first time, I recommend Heimdal for your krb5 servers, as it has tools to
make the transition really, really easy. hprop (like kprop, but
Heimdal-specific) can be used to convert a kaserver database directly to a
v5 database. Basically:
-Follow the instructions to configure heimdal and initialize a realm,
including master key setup.
-Then, immediately run /path/to/hprop --source=kaserver -c
your.cell -n|/path/to/hpropd -n
-If you want to keep using klog and not need to worry about aklog,
configure heimdal's KDC to listen on the kaserver port (from krb5.conf:)
[kdc]
enable-kaserver = true
afs-cell = your.cell
-If you want to use 524 translation service with an aklog that does 524 to
get an afs ticket:
[kdc]
enable-524 = true
v4-realm = YOUR.REALM
-Wise to configure kadmin to generate afs keys when passwords get changed
so klog stays happy, *but* klog can also do des string to key, so
generating v4-style keys is sufficient. The former would be:
[kadmin]
default_keys = afs3 v5
afs-cell = your.cell
The latter:
[kadmin]
default_keys = v4 v5
v4-realm = YOUR.REALM
Or collect all 3:
default_keys = v4 v5 afs3
afs-cell = your.cell
v4-realm = YOUR.REALM
To set up AFS in an existing krb5 realm:
-Create the key for afs or afs.cell.name, making sure there's a v4-salted
key generated for it.
-If you use heimdal, you can add the key to your keytab using ktutil, then
ktutil copy /etc/krb5.keytab AFSKEYFILE:/usr/afs/etc/KeyFile
and it should copy only the afs key from the keytab
-If you use MIT krb5, it's harder. You'll need a krb5-aware asetkey, and
to ktutil add the afs key, then run asetkey.
-At this point clients should be able to run aklog5 and get a useful token
for AFS.
For bootstrapping a new MIT krb5 realm, hopefully someone else can give a
step-by-step.
-D
Now, when I try to do a kadmin -l and do an init KNUDSTRUP.ORG, I get the
following:
[root@taipienyi heimdal]# sbin/kadmin -l
kadmin> init KNUDSTRUP.ORG
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
kadmin: bad value for default_keys `afs3'
kadmin: bad value for default_keys `afs3'
kadmin: bad value for default_keys `afs3'
kadmin: bad value for default_keys `afs3'
kadmin: bad value for default_keys `afs3'
kadmin: bad value for default_keys `afs3'
kadmin: kadm5_create_principal: Program lacks support for encryption type
[root@taipienyi heimdal]#
Attached is the contents of my krb5.conf:
[root@taipienyi heimdal]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = KNUDSTRUP.ORG
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
KNUDSTRUP.ORG = {
kdc = taipienyi.knudstrup.org:88
admin_server = taipienyi.knudstrup.org:kerberos-adm
default_domain = knudstrup.org
}
[domain_realm]
.knudstrup.org = KNUDSTRUP.ORG
knudstrup.org = KNUDSTRUP.ORG
[kdc]
profile = /usr/local/var/krb5kdc/kdc.conf
enable-kaserver = true
afs-cell = knudstrup.org
enable-524 = true
v4-realm = KNUDSTRUP.ORG
[kadmin]
default_keys = v4 v5 afs3
afs-cell = knudstrup.org
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
[root@taipienyi heimdal]#
I think I've followed the instructions, where do I go next?
Thanks,
Eric