[OpenAFS] definitive / up-to-date kerberos 5 migration information
desired
Christopher Allen Wing
wingc@engin.umich.edu
Thu, 4 Aug 2005 15:30:10 -0400 (EDT)
John:
If you want to preserve a little bit more of the metadata in the kaserver
database when converting to Kerberos 5, take a look at:
http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.86/SOURCES/afs-krb5-2.0-betterka2dump.patch
this is a patch against 'afs2k5db' which does the following:
- preserves the semantics of the 'NOTGS' flag in ka entries
- preserves the 'password last changed' timestamp
- uses the correct value for password expiration time (0 means
never, not 2145830400)
You can also use the following script on top of that:
http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.86/SOURCES/kas-kdb-merge.pl
which will merge back in the information about which user last modified a
given ka database entry. Otherwise this information will be lost when you
convert to krb5.
The script would be used as follows:
kas list -long >/tmp/kas_output.txt
afs2k5db /usr/afs/db/kasrver.0 >/tmp/krb5-dumpfile
./kas-kdb-merge.pl /tmp/krb5-dumpfile /tmp/kas-output.txt YOUR.REALM.NAME >/tmp/final-krb5-database
This is only important if you care about preserving as much information as
possible from the original kaserver database; you can use the unpatched
afs2k5db as-is without any problems.
-Chris Wing
wingc@engin.umich.edu
> I finally have a few days to migrate our cell from AFS-KRB to Kerb5.
> We have a few hundred users and I'd like to migrate the cell without
> too much disruption. Looking at the AFS wiki, I find
> - dead links to Ken Hornstein's AFS-KRB 5 migration kit
> (the FTP server doesn't exist any more?)
> - dead links to Schulz at Karlsruhe's info on migration
> - a live AFS file (date 2001) on using KTH Heimdal's Krb5
> Has the train left the station long ago?