[OpenAFS] OpenAFS 1.3.63 on Windows XP
Douglas E. Engert
deengert@anl.gov
Wed, 12 May 2004 09:20:19 -0500
Kevin Coffman wrote:
>
> > Kevin Coffman wrote:
> > >
> > > > Kevin Coffman wrote:
> > > >
> > > > > What version of afs are your cell's DB servers (and fileservers)
> > > > > running ?
> > > >
> > > > OpenAFS 1.2.7 - thinking about it they could stand an update.
> > >
> > > The support for K5 went into OpenAFS 1.2.8, so I think this is your
> > > problem.
> >
> > Thats part of it. There is still the 344 byte ticket size limit, and
> > the use of des-cbc-crc vs des-cbc-md5 These have been added later to the CVS,
> > are are not in the OPenAFS 1.2. A Windows AD 2003 will use the des-cbc-md5
> > for the tickets, and 2000 and 2003 ADs will produce large tickets, even a
> > minimal user may have a ticket that is 1000 bytes of which 800 bytes are
> > the PAC.
> >
> > The KfW, aklog or gssklog conversion utilies can handle the des-cbc-md5
> > and large tickets, so you may need to use for a while still.
>
> Is the ticket size limit change a client-only issue or are there
> server-side changes involved as well?
Well, ./rxkad/rxkad.p.h is changed so the server gets recompiled
with these larger sizes, and if you have W2003 ADs, they will use dec-cbc-md5,
so the MD5 code is needed on the server so it will verifiy the checksum.
So yes there are server side changes.
See:
http://www.openafs.org/cgi-bin/wdelta/even-larger-ticket-sizes-20040403
The testing I did was on 1.2.11 on Solaris, using some tickets that
where about 1000 bytes long using W2003, W2000 ADs.
This was the 1.2.11 patch. The rest of the patches where to the
pioctl to allow it to pass a larger ticket, and to the ktc_settoken
that was using some 1024 byte buffer to hold a ticket.
*** ./rxkad/,rxkad.p.h Thu Nov 14 16:44:38 2002
--- ./rxkad/rxkad.p.h Thu Apr 8 08:27:37 2004
***************
*** 16,22 ****
/* no ticket good for longer than 30 days */
#define MAXKTCTICKETLIFETIME (30*24*3600)
#define MINKTCTICKETLEN 32
! #define MAXKTCTICKETLEN 344
#define MAXKTCNAMELEN 64 /* name & inst should be 256 */
#define MAXKTCREALMLEN 64 /* should be 256 */
#define KTC_TIME_UNCERTAINTY (15*60) /* max skew bet. machines' clocks */
--- 16,22 ----
/* no ticket good for longer than 30 days */
#define MAXKTCTICKETLIFETIME (30*24*3600)
#define MINKTCTICKETLEN 32
! #define MAXKTCTICKETLEN 12000 /* was 344 */
#define MAXKTCNAMELEN 64 /* name & inst should be 256 */
#define MAXKTCREALMLEN 64 /* should be 256 */
#define KTC_TIME_UNCERTAINTY (15*60) /* max skew bet. machines' clocks */
***************
*** 38,44 ****
#define RXKAD_TKT_TYPE_KERBEROS_V5 256
#define RXKAD_TKT_TYPE_KERBEROS_V5_ENCPART_ONLY 213
! #define MAXKRB5TICKETLEN 1024
/*
* The AFS/DFS translator may also make use of additional ticket types in
--- 38,44 ----
#define RXKAD_TKT_TYPE_KERBEROS_V5 256
#define RXKAD_TKT_TYPE_KERBEROS_V5_ENCPART_ONLY 213
! #define MAXKRB5TICKETLEN MAXKTCTICKETLEN
/*
* The AFS/DFS translator may also make use of additional ticket types in
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444