[OpenAFS] Heimdal and OpenAFS...

Eric Knudstrup eric@knudstrup.org
Fri, 11 May 2001 00:24:12 -0700


I followed some of the directions in a post by Derrick from early April
about using Heimdal, and I just built and tried to install it:

[OpenAFS] openafs and kerberos5
Derrick J Brashear shadow@dementia.org
Mon, 9 Apr 2001 12:13:11 -0400 (EDT)

Previous message: [OpenAFS] openafs and kerberos5
Next message: [OpenAFS] openafs and kerberos5
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----------------------------------------------------------------------------
----

On Mon, 9 Apr 2001, Forrest D. Whitcher wrote:

> David,
>
> I've been wrestling with this for several weeks, and have gotten
> a good bit of help from Ken Hornstein who put together the most
> recent (to my knowlege) set of migration tools for this.

I suppose I'm an anomaly since I have a strong background in both AFS and
Kerberos (both v4 and v5). I set it up, switched off my kaserver, and it
"just worked".

> Results so far are that I was able to get an appearantly successful
> build of the essential tools (asetkey and aklog). However I've as
> yet been unable to make it work in-practice.
>
> (!!!! btw HELP! :- ... the latest I've been able to figure out is
> that when I obtain an afs ticket from the k5 KDC (requires krb524d
> be running to translate tickets).. the AFS key that is granted is
> listed in the K5 tickets !!!??? might explain why afs is complaining
> when I try to use the ticket????)

Your punctuation keys seem to be sticking. aklog (if you use Ken's v5
aklog) takes the ticket from the v5 cred cache, makes a token, and sticks
it in the kernel.

Anyhow, if you're converting an existing cell, and setting up krb5 for the
first time, I recommend Heimdal for your krb5 servers, as it has tools to
make the transition really, really easy. hprop (like kprop, but
Heimdal-specific) can be used to convert a kaserver database directly to a
v5 database. Basically:
-Follow the instructions to configure heimdal and initialize a realm,
including master key setup.
-Then, immediately run /path/to/hprop --source=kaserver -c
your.cell -n|/path/to/hpropd -n
-If you want to keep using klog and not need to worry about aklog,
configure heimdal's KDC to listen on the kaserver port (from krb5.conf:)
[kdc]
enable-kaserver = true
afs-cell = your.cell
-If you want to use 524 translation service with an aklog that does 524 to
get an afs ticket:
[kdc]
enable-524 = true
v4-realm = YOUR.REALM

-Wise to configure kadmin to generate afs keys when passwords get changed
so klog stays happy, *but* klog can also do des string to key, so
generating v4-style keys is sufficient. The former would be:
[kadmin]
default_keys = afs3 v5
afs-cell = your.cell

The latter:
[kadmin]
default_keys = v4 v5
v4-realm = YOUR.REALM

Or collect all 3:
default_keys = v4 v5 afs3
afs-cell = your.cell
v4-realm = YOUR.REALM

To set up AFS in an existing krb5 realm:
-Create the key for afs or afs.cell.name, making sure there's a v4-salted
key generated for it.
-If you use heimdal, you can add the key to your keytab using ktutil, then
ktutil copy /etc/krb5.keytab AFSKEYFILE:/usr/afs/etc/KeyFile
and it should copy only the afs key from the keytab
-If you use MIT krb5, it's harder. You'll need a krb5-aware asetkey, and
to ktutil add the afs key, then run asetkey.
-At this point clients should be able to run aklog5 and get a useful token
for AFS.

For bootstrapping a new MIT krb5 realm, hopefully someone else can give a
step-by-step.

-D



Now, when I try to do a kadmin -l and do an init KNUDSTRUP.ORG, I get the
following:
[root@taipienyi heimdal]# sbin/kadmin -l
kadmin> init KNUDSTRUP.ORG
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
kadmin: bad value for default_keys `afs3'
kadmin: bad value for default_keys `afs3'
kadmin: bad value for default_keys `afs3'
kadmin: bad value for default_keys `afs3'
kadmin: bad value for default_keys `afs3'
kadmin: bad value for default_keys `afs3'
kadmin: kadm5_create_principal: Program lacks support for encryption type
[root@taipienyi heimdal]#

Attached is the contents of my krb5.conf:

[root@taipienyi heimdal]# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = KNUDSTRUP.ORG
 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
 default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]
 KNUDSTRUP.ORG = {
  kdc = taipienyi.knudstrup.org:88
  admin_server = taipienyi.knudstrup.org:kerberos-adm
  default_domain = knudstrup.org
 }

[domain_realm]
 .knudstrup.org = KNUDSTRUP.ORG
 knudstrup.org  = KNUDSTRUP.ORG

[kdc]
 profile = /usr/local/var/krb5kdc/kdc.conf
 enable-kaserver = true
 afs-cell = knudstrup.org
 enable-524 = true
 v4-realm = KNUDSTRUP.ORG

[kadmin]
 default_keys = v4 v5 afs3
 afs-cell = knudstrup.org

[pam]
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
[root@taipienyi heimdal]#

I think I've followed the instructions, where do I go next?

Thanks,

Eric