[OpenAFS] Migration from kaserver to krb5.
Christopher Allen Wing
wingc@engin.umich.edu
Tue, 11 Apr 2006 11:34:00 -0400 (EDT)
Hello,
On Tue, 11 Apr 2006, O Plameras wrote:
> I have running servers with OpenAFS-1.4.1 on FC5 using kaserver.
>
> I have used clients running OpenAFS on FC4/Win2000 and
> OpenAFS-1.4.1rc10 on FC5.
>
> This setup is working without any problem so far.
Do you have any actual users in your AFS cell yet? Or did you just set it
up with kaserver for testing purposes?
If you don't yet have any user accounts / passwords, it's probably easiest
not to bother with the kaserver conversion, but instead, just create new
principals in the k5 database and reset the afs key.
> I want to convert from kaserver to krb5.
>
> I installed and tested krb5-1.4.3 KDC. This works.
>
> Then I did these.
> [oscarp@toshiba]$kinit admin/admin
> [oscarp@toshiba]$aklog example.com.ex -k EXAMPLE.COM.EX
> [oscarp@toshiba]$tokens
> Tokens held by the Cache Manager:
>
> User's (AFS ID 1) tokens for afs@example.com.ex [Expires Apr 11 22:04]
> --End of list--
Did you create a new 'afs' principal in the K5 database?
> It is my understanding that I need to run afs2k5db on kaserver.DBO
> and use the output to update krb5 keys.
You only need to do this if you have users and passwords which you care
about preserving. Otherwise, it's probably simpler to recreate the
principals in the K5 database, and create a new 'afs/cell.name@REALM.NAME'
key.
> My problem is I can't compile afs2k5db.
You need to have the source code tree to the version of Kerberos which you
are running. This can be a pain.
Did you compile krb5 yourself, or are you using the stuff from FC5? If
the former is the case, no problem. If the latter is the case, you will
need to download the FC5 source RPM for kerberos, and do something like:
create a temporary RPM root to build RPMs
rpm -ivh krb5-1.4.x.src.rpm
cd <rpmroot>/SPECS
rpmbuild -ba krb5.spec
Then you will have an expanded source tree in <rpmroot>/BUILD which you
can use to compile the afs-krb5 stuff. Note that you have to actually
perform the build in the krb5 directory, because some of the files used by
afs-krb5 require an actually built krb5. (you can't just download the
Kerberos source code and untar it)
Then download the afs-krb5 tar file. It won't build properly against
recent OpenAFS and Kerberos so you will need some patches. I have not yet
built afs-krb5 against krb5-1.4.x, so I don't know what changes are
necessary.
However, here are the patches that I used to build afs-krb5 against
krb5-1.3.x and openafs-1.4.x:
http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.4.1-rc2/SOURCES/
afs-krb5-2.0-umich.patch
afs-krb5-2.0-kfdump.patch
afs-krb5-2.0-krb524.patch
afs-krb5-2.0-k5private.patch
afs-krb5-2.0-libsocket.patch
afs-krb5-2.0-warnings.patch
afs-krb5-2.0-betterka2dump.patch
afs-krb5-2.0-res_search.patch
afs-krb5-2.0-com_err.patch
afs-krb5-2.0-openafs1.3.patch
afs-krb5-2.0-noaklog.patch
Download the patches and apply them in that order to the afs-krb5 source
code.
You need to have the header files and libraries that come with OpenAFS for
development purposes. (probably in the openafs-devel RPM)
You then need to build it as follows:
cd <afs-krb5 source code tree>
autoreconf
./configure -prefix=/usr --with-krb5=/usr/kerberos \
--with-afs=/usr --with-umich
# where <rpmroot> is the RPM root where you built the krb5 stuff
# (make sure that <rpmroot>/BUILD/krb5-1.4.x/include is actually the
# correct path to the include files, etc.)
make EXTRA_INC="-I<rpmroot>/BUILD/krb5-1.4.x/include -I/usr/include/et"
That probably assumes that you are using a 32-bit OS, because it will look
for the AFS libraries in /usr/lib not /usr/lib64. If you are using a
64-bit OS, you will need to do something different with --with-afs.
I use something similar to the above to build it on RHEL4, however I
always build afs-krb5 along with the rest of OpenAFS, so I have access to
the OpenAFS source code tree.
If you build OpenAFS yourself (from RPM), then you can do:
./configure -prefix=/usr --with-krb5=/usr/kerberos \
--with-afs=<afsrpmroot>/BUILD/xxx/<sysname>/dest --with-umich
where <afsrpmroot> is the RPM root where you built OpenAFS, and the files
are built into BUILD/openafs-x.x.x/xxx/sysname/dest
where sysname is probably i386_linux26 or amd64_linux26, etc.
As you can see it is somewhat complicated.
If you want to go ahead and use afs-krb5, you may also find this script
useful:
http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.4.1-rc2/SOURCES/kas-kdb-merge.pl
The afs2k5db program generates a krb5 dump record which is missing 'last
modified by' data. This is because getting the information requires more
knowledge of the kaserver database than afs2k5db implements.
If you use that script, it will take the output of 'kas list -long' and
add back in the 'last modified by' data into the dump record. This is
mainly interesting if you have been running kaserver for a long time and
would like to preserve as much metadata as possible when you convert to
pure krb5.
But overall, if you don't have any actual production users in your cell,
or if you only have a few people and it wouldn't be a big deal to just
change their passwords, I would recommend skipping the afs2k5db entirely
and just regenerating the afs key from scratch.
-Chris Wing
wingc@engin.umich.edu