[OpenAFS] definitive / up-to-date kerberos 5 migration information desired

Christopher Allen Wing wingc@engin.umich.edu
Thu, 4 Aug 2005 15:30:10 -0400 (EDT)


If you want to preserve a little bit more of the metadata in the kaserver 
database when converting to Kerberos 5, take a look at:


this is a patch against 'afs2k5db' which does the following:

 	- preserves the semantics of the 'NOTGS' flag in ka entries

 	- preserves the 'password last changed' timestamp

 	- uses the correct value for password expiration time (0 means
 		never, not 2145830400)

You can also use the following script on top of that:


which will merge back in the information about which user last modified a 
given ka database entry. Otherwise this information will be lost when you 
convert to krb5.

The script would be used as follows:

 	kas list -long >/tmp/kas_output.txt

 	afs2k5db /usr/afs/db/kasrver.0 >/tmp/krb5-dumpfile

 	./kas-kdb-merge.pl /tmp/krb5-dumpfile /tmp/kas-output.txt YOUR.REALM.NAME >/tmp/final-krb5-database

This is only important if you care about preserving as much information as 
possible from the original kaserver database; you can use the unpatched 
afs2k5db as-is without any problems.

-Chris Wing

> I finally have a few days to migrate our cell from AFS-KRB to Kerb5.
> We have a few hundred users and I'd like to migrate the cell without
> too much disruption.  Looking at the AFS wiki, I find
>   - dead links to Ken Hornstein's AFS-KRB 5 migration kit
>    (the FTP server doesn't exist any more?)
>   - dead links to Schulz at Karlsruhe's info on migration
>   - a live AFS file (date 2001) on using KTH Heimdal's Krb5
> Has the train left the station long ago?