[OpenAFS] Authenticating against MIT Kerberos 5 version 1.3.1

Kevin openafs@gnosys.biz
Mon, 9 Feb 2004 15:35:38 -0500 

Hi All-

Apologies if this is a FAQ, but I've looked through many posts on the 
archive already and though I do see some discussion of it, I don't see 
much recent discussion, thus my post.  I looked for a searchable archive 
of the OpenAFS lists, but didn't find one so the best I could do was 
google with a domain constraint and a time constraint, but the <3months 
old time constraint still hit on 2year old list articles, so I dunno.

Anyway, ...

I'm starting from scratch and I'd like to get OpenAFS 1.2.11 
authenticating against an MIT Kerberos 5 v1.3.1 system.

I have built AFS and Kerberos, installed and tested kerberos (everything 
non-AFS is fine), made the afs key (afs/fqhn@REALM) (or should it be---as 
I saw in Jan 2002---afs/cellname@REALM) and even insmod'd the afs module 
into my kernel (so far so good, but does that module really taint the 
kernel?  I thought OpenAFS was open source...).

But I'm not sure about a couple of things and so I'd like to ask here if I 
may (the last time I saw these very issues brought up on the list (and 
the devel list at that) was in January 2002 when Adam Thornton asked).

Since Jan 2002, it seems to me that alot must have changed.  I have Ken 
Hornstein's migration kit, but the latest version I could find was 2.0 
(afs-krb5-2.0.tar.gz) from March 2003.  However, the sources in it won't 
build for me against a fresh build of kerberos 5 v1.3.1 and openafs 
1.2.11.  I get the following error messages:

=================================================
adam@zeus:~/kafs/afs-krb5/src> make
gcc -c -g -O2 -I/usr/local/include -I/usr/local/include 
-DPACKAGE_NAME=\"afs-krb5\" -DPACKAGE_TARNAME=\"afs-krb5\" 
-DPACKAGE_VERSION=\"1.4\" -DPACKAGE_STRING=\"afs-krb5\ 1.4\" 
-DPACKAGE_BUGREPORT=\"kenh@cmf.nrl.navy.mil\" -DAFS=1 -DAFS_INT32=1 
-DAFS_TRY_FULL_PRINC=1 -DHAVE_DAEMON=1 -DSTDC_HEADERS=1 
-DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 
-DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 
-DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_UNISTD_H=1 
-DHAVE_STDLIB_H=1 -DHAVE_MEMORY_H=1 -DHAVE_PATHS_H=1 -DHAVE_MALLOC_H=1 
-DHAVE_STRERROR=1 -DRETSIGTYPE=void  -DALLOW_REGISTER 
-I/home/adam/kafs/krb5-1.3.1/src/include 
-I/home/adam/kafs/krb5-1.3.1/src/include/krb5 afs2k5db.c
In file included from /home/adam/kafs/krb5-1.3.1/src/include/k5-int.h:125,
                 from afs2k5db.c:35:
/home/adam/kafs/krb5-1.3.1/src/include/krb5/autoconf.h:167:1: warning: 
"KRB5_DEPRECATED" redefined
In file included from afs2k5db.c:32:
/home/adam/kafs/krb5-1.3.1/src/include/krb5.h:65:1: warning: this is the 
location of the previous definition
In file included from /home/adam/kafs/krb5-1.3.1/src/include/k5-int.h:125,
                 from afs2k5db.c:35:
/home/adam/kafs/krb5-1.3.1/src/include/krb5/autoconf.h:182:1: warning: 
"KRB5_PRIVATE" redefined
In file included from afs2k5db.c:32:
/home/adam/kafs/krb5-1.3.1/src/include/krb5.h:69:1: warning: this is the 
location of the previous definition
In file included from /home/adam/kafs/krb5-1.3.1/src/include/k5-int.h:125,
                 from afs2k5db.c:35:
/home/adam/kafs/krb5-1.3.1/src/include/krb5/autoconf.h:195:1: warning: 
"PACKAGE_BUGREPORT" redefined
<command line>:8:1: warning: this is the location of the previous 
definition
/home/adam/kafs/krb5-1.3.1/src/include/krb5/autoconf.h:198:1: warning: 
"PACKAGE_NAME" redefined
<command line>:4:1: warning: this is the location of the previous 
definition
/home/adam/kafs/krb5-1.3.1/src/include/krb5/autoconf.h:201:1: warning: 
"PACKAGE_STRING" redefined
<command line>:7:1: warning: this is the location of the previous 
definition
/home/adam/kafs/krb5-1.3.1/src/include/krb5/autoconf.h:204:1: warning: 
"PACKAGE_TARNAME" redefined
<command line>:5:1: warning: this is the location of the previous 
definition
/home/adam/kafs/krb5-1.3.1/src/include/krb5/autoconf.h:207:1: warning: 
"PACKAGE_VERSION" redefined
<command line>:6:1: warning: this is the location of the previous 
definition
In file included from afs2k5db.c:35:
/home/adam/kafs/krb5-1.3.1/src/include/k5-int.h:1783: error: parse error 
before "krb5_donot_replay"
make: *** [afs2k5db.o] Error 1
adam@zeus:~/kafs/afs-krb5/src>
=================================================

I've read all of Ken's documentation and found it helpful, but not quite 
helpful enough since I can't build his sources.  He mentions that much of 
the functionality in his migration kit may go into the 1.3 release of MIT 
kerberos 5, but I'm not sure if it's there yet.

And so, I have a couple of specific questions:

1) Is it still true that openafs works only with Kerberos V4 tickets or 
can it now work directly with V5 tickets?  (IOW, do I still need to run 
the 524 daemon?)

2) Does openafs support triple-DES yet or is it still only 1des?  If still 
only 1des, is it really safe over the internet given that 1des has been 
compromised and can be brute-forced?

3) Is there some way I can do what Ken's asetkey.c program does using only 
the tools in openafs 1.2.11 and/or MIT Kerberos 5 v1.3.1?  I see Ken's 
mention of asetkey in 
https://lists.openafs.org/pipermail/openafs-devel/2002-January/007374.html, 
but alas, not being able to build it I cannot use it.

Many thanks for ideas or pointers to current documentation on this.

-Kevin