[OpenAFS] Win2K AFS server, mirror data+config to RHEL4.5 new Server?

Jeffrey Altman jaltman@secure-endpoints.com
Tue, 19 Aug 2008 10:10:17 -0400

avison48 wrote:
> Thank you very much for responding.
>> Your server OS is Windows 2000.  What is the AFS Server
>> version?
> IBM AFS v3.5 (works great)

That is what I expected.  The OpenAFS servers do not work very
well and no one has put the time into fixing them.

>>> Our KDC is a Windows server managed by someone else who wants to upgrade
>>> it, which will probably break krb to the Win2K AFS server.
>> Why do you believe this to be true?
> The KDC/Microsoft SysAdmin knows more about Kerberos than I, & knew
> the former admin who built the Win2K AFS server & did tweaking of it; he's
> pretty sure his planned upgrade on the KDC will break this win2K AFS hacked
> kerberos. So he strongly advises migrating AFS to another platform, & our
> standard (now) is SL4.5. Seems a good idea to retire a Win2K server anyway.
> His KDC is currently Win2003, I'm not sure what he wants to upgrade.
> But he's quite sure the tweaked kerberos used by the Win2K server will break.
> All How-to AFS-server doc found so far seems to expect the AFS admin is
> full KDC admin (and on Unix too). But I have no access to our microsoft 
> KDC - am 'just a customer' of it.

You keep saying "hacked".  The IBM AFS Servers (regardless of platform)
do not support Kerberos v5 ticket formats.  Therefore, the way that a
Kerberos v5 KDC (such as Windows 2003) can be used is for authentication
is to create an "afs/<cell>@<REALM>" service principal, mark it for DES
only encryption, copy the DES key to the AFS KeyFile using a keytab and
asetkey.   A krb524 and/or a kaforwarder daemon must then be installed
on the AFS server in order to obtain AFS tokens in the Kerberos v4
format understood by the IBM Servers.

Now, if Active Directory is already running on Windows 2003, there is
not going to be a key change for AFS as a result of your upgrade.

Perhaps your admin is simply worried that the IBM AFS Server will not
install on Windows 2003.

In any case, there are many reasons to upgrade your servers to OpenAFS.
If you would prefer to stay on Windows for your AFS Servers and have a
few pounds to invest in its support, I would be happy to work with you
off-line to get you OpenAFS Server binaries that will work on Windows
2003 and 2008.

>>> I found a KeyFile on the Win2K AFS server (type data),
>> The KeyFile is the AFS file that contains the AFS keys.
>> All servers in the AFS cell must have a copy of it.  This is not a keytab
>> file.
> Thank you for that info! What is done then with the type=data Keyfile from
> a Win2K IBM AFS 3.5 server on an SL4.5 mirrored AFS server?

A binary copy via a secure method is sufficient.