[OpenAFS] Converting kaserver to krb5/heimdal

Brandon S Allbery KF8NH allbery@ece.cmu.edu
03 May 2002 13:38:54 -0300

On Fri, 2002-05-03 at 11:50, Derek Atkins wrote:
> 1) Create your KDC realm
> 2) Create a key in your kdc: afs/<cell>@REALM
> 3) extract your afs/<cell>@REALM key to a keytab -- be sure you only
>    have a des-cbc-crc keytype, and no 3des keytypes.
> 4) Use asetkey to copy the key from the keytab to the KeyFile
> 5) (re)start your AFS servers
> 6) use kinit and aklog (or the pam equivalents) to authenticate

Actually, if heimdal is built with AFS support:

1) create your KDC realm;
2) shut down kaserver, start KDC in krb5-only mode;
3) use hprop to populate the KDC from kaserver.DB0;
4) restart the KDC.

And changing the way you authenticate isn't necessary, nor is KeyFile
munging, because you'll have imported the existing key as part of the
hprop and because the KDC understands enough of the kas protocol to work
with klog.

The hprop invocation looks like:

/usr/heimdal/libexec/hprop -m /var/heimdal/m-key \
                           -d /usr/afs/db/kaserver.DB0 \
                           -K -c ece.cmu.edu -S -r ECE.CMU.EDU \
                           -D -v -n |
/usr/heimdal/libexec/hpropd -n

(Substitute your realm and cell names, check pathnames, and it's
possible that some hprop options have reversed their meanings in newer
versions:  you want to ensure that it copies over the KASPECIAL keys.)

brandon s. allbery   [os/2][linux][solaris][japh]  allbery@kf8nh.apk.net
system administrator      [WAY too many hats]        allbery@ece.cmu.edu
electrical and computer engineering                                KF8NH
carnegie mellon university  ["better check the oblivious first" -ke6sls]