[OpenAFS] Migration from kaserver to krb5.

Christopher Allen Wing wingc@engin.umich.edu
Tue, 11 Apr 2006 11:34:00 -0400 (EDT) 

Hello,


On Tue, 11 Apr 2006, O Plameras wrote:

> I have running servers with OpenAFS-1.4.1 on FC5 using kaserver.
>
> I have used clients running OpenAFS on FC4/Win2000 and
> OpenAFS-1.4.1rc10 on FC5.
>
> This setup is working without any problem so far.

Do you have any actual users in your AFS cell yet?  Or did you just set it 
up with kaserver for testing purposes?

If you don't yet have any user accounts / passwords, it's probably easiest 
not to bother with the kaserver conversion, but instead, just create new 
principals in the k5 database and reset the afs key.

> I want to convert from kaserver to krb5.
>
> I installed and tested krb5-1.4.3 KDC. This works.
>
> Then I did these.
> [oscarp@toshiba]$kinit admin/admin
> [oscarp@toshiba]$aklog example.com.ex -k EXAMPLE.COM.EX
> [oscarp@toshiba]$tokens
> Tokens held by the Cache Manager:
>
> User's (AFS ID 1) tokens for afs@example.com.ex [Expires Apr 11 22:04]
>   --End of list--

Did you create a new 'afs' principal in the K5 database?

> It is my understanding that I need to run afs2k5db on kaserver.DBO
> and use the output to update krb5 keys.

You only need to do this if you have users and passwords which you care 
about preserving.  Otherwise, it's probably simpler to recreate the 
principals in the K5 database, and create a new 'afs/cell.name@REALM.NAME' 
key.

> My problem is I can't compile afs2k5db.

You need to have the source code tree to the version of Kerberos which you 
are running.  This can be a pain.

Did you compile krb5 yourself, or are you using the stuff from FC5?  If 
the former is the case, no problem.  If the latter is the case, you will 
need to download the FC5 source RPM for kerberos, and do something like:

 	create a temporary RPM root to build RPMs

 	rpm -ivh krb5-1.4.x.src.rpm

 	cd <rpmroot>/SPECS

 	rpmbuild -ba krb5.spec


Then you will have an expanded source tree in <rpmroot>/BUILD which you 
can use to compile the afs-krb5 stuff.  Note that you have to actually 
perform the build in the krb5 directory, because some of the files used by 
afs-krb5 require an actually built krb5.  (you can't just download the 
Kerberos source code and untar it)


Then download the afs-krb5 tar file.  It won't build properly against 
recent OpenAFS and Kerberos so you will need some patches.  I have not yet 
built afs-krb5 against krb5-1.4.x, so I don't know what changes are 
necessary.

However, here are the patches that I used to build afs-krb5 against 
krb5-1.3.x and openafs-1.4.x:

 	http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.4.1-rc2/SOURCES/
 		afs-krb5-2.0-umich.patch
 		afs-krb5-2.0-kfdump.patch
 		afs-krb5-2.0-krb524.patch
 		afs-krb5-2.0-k5private.patch
 		afs-krb5-2.0-libsocket.patch
 		afs-krb5-2.0-warnings.patch
 		afs-krb5-2.0-betterka2dump.patch
 		afs-krb5-2.0-res_search.patch
 		afs-krb5-2.0-com_err.patch
 		afs-krb5-2.0-openafs1.3.patch
 		afs-krb5-2.0-noaklog.patch

Download the patches and apply them in that order to the afs-krb5 source 
code.

You need to have the header files and libraries that come with OpenAFS for 
development purposes.  (probably in the openafs-devel RPM)

You then need to build it as follows:

 	cd <afs-krb5 source code tree>

 	autoreconf

 	./configure -prefix=/usr --with-krb5=/usr/kerberos \
 		--with-afs=/usr --with-umich

# where <rpmroot> is the RPM root where you built the krb5 stuff
# (make sure that <rpmroot>/BUILD/krb5-1.4.x/include is actually the 
# correct path to the include files, etc.)

 	make EXTRA_INC="-I<rpmroot>/BUILD/krb5-1.4.x/include -I/usr/include/et"


That probably assumes that you are using a 32-bit OS, because it will look 
for the AFS libraries in /usr/lib not /usr/lib64.  If you are using a 
64-bit OS, you will need to do something different with --with-afs.

I use something similar to the above to build it on RHEL4, however I 
always build afs-krb5 along with the rest of OpenAFS, so I have access to 
the OpenAFS source code tree.

If you build OpenAFS yourself (from RPM), then you can do:


 	./configure -prefix=/usr --with-krb5=/usr/kerberos \
 		--with-afs=<afsrpmroot>/BUILD/xxx/<sysname>/dest --with-umich

where <afsrpmroot> is the RPM root where you built OpenAFS, and the files 
are built into BUILD/openafs-x.x.x/xxx/sysname/dest

where sysname is probably i386_linux26 or amd64_linux26, etc.




As you can see it is somewhat complicated.

If you want to go ahead and use afs-krb5, you may also find this script 
useful:

 	http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.4.1-rc2/SOURCES/kas-kdb-merge.pl


The afs2k5db program generates a krb5 dump record which is missing 'last 
modified by' data.  This is because getting the information requires more 
knowledge of the kaserver database than afs2k5db implements.

If you use that script, it will take the output of 'kas list -long' and 
add back in the 'last modified by' data into the dump record.  This is 
mainly interesting if you have been running kaserver for a long time and 
would like to preserve as much metadata as possible when you convert to 
pure krb5.



But overall, if you don't have any actual production users in your cell, 
or if you only have a few people and it wouldn't be a big deal to just 
change their passwords, I would recommend skipping the afs2k5db entirely 
and just regenerating the afs key from scratch.


-Chris Wing
wingc@engin.umich.edu