[OpenAFS] Migration from kaserver to krb5.

O Plameras oscarp@acay.com.au
Wed, 12 Apr 2006 08:43:05 +1000 

Christopher Allen Wing wrote:
> Hello,
>
>
> On Tue, 11 Apr 2006, O Plameras wrote:
>
>> I have running servers with OpenAFS-1.4.1 on FC5 using kaserver.
>>
>> I have used clients running OpenAFS on FC4/Win2000 and
>> OpenAFS-1.4.1rc10 on FC5.
>>
>> This setup is working without any problem so far.
>
> Do you have any actual users in your AFS cell yet?  Or did you just 
> set it up with kaserver for testing purposes?
>
> If you don't yet have any user accounts / passwords, it's probably 
> easiest not to bother with the kaserver conversion, but instead, just 
> create new principals in the k5 database and reset the afs key.

I have only half-dozen users.  Yes, I created new principals in the k5 
DB and reset afs key.

>
>> I want to convert from kaserver to krb5.
>>
>> I installed and tested krb5-1.4.3 KDC. This works.
>>
>> Then I did these.
>> [oscarp@toshiba]$kinit admin/admin
>> [oscarp@toshiba]$aklog example.com.ex -k EXAMPLE.COM.EX
>> [oscarp@toshiba]$tokens
>> Tokens held by the Cache Manager:
>>
>> User's (AFS ID 1) tokens for afs@example.com.ex [Expires Apr 11 22:04]
>>   --End of list--
>
> Did you create a new 'afs' principal in the K5 database?

Yes, I did. This is how I did it.

#kadmin.local  -e des-cbc-crc:v4  <<EOF
addprinc -randkey afs/example.com.ex
ktadd -k KeyFile afs/example.com.ex
quit
EOF

#set `klist -k KeyFile | tail -1`
#asetkey add $1 KeyFile afs/example.com.ex

After this, I can do this because I have user
admin in k5.

#kinit admin
#aklog

The problem is after this I can't

#vos listvol toshiba.example.com.ex

In the AFS_K5_NAME_CHANGE it says to the effect that
I have to run afs2k5db and that's where I have compile errors
in attempting to compile using FC5 source rpm. The specific
errors amongst others say, files are missing, like:

k5-int.h
adm.h

I search the source codes of openafs-1.4.1rc10 but are not found
there. I noticed they are in openafs-1.3.8.

>
>> It is my understanding that I need to run afs2k5db on kaserver.DBO
>> and use the output to update krb5 keys.
>
> You only need to do this if you have users and passwords which you 
> care about preserving.  Otherwise, it's probably simpler to recreate 
> the principals in the K5 database, and create a new 
> 'afs/cell.name@REALM.NAME' key.

OK, I got this. I am able to create principals in K5 to aklog 
successfully. The problem after this
is I can't do AFS maintenance commands like #vos listvol <server>, etc.

I have about 500Gbytes and for this reason I can't reset my DB.
>
>> My problem is I can't compile afs2k5db.
>
> You need to have the source code tree to the version of Kerberos which 
> you are running.  This can be a pain.

Yes, I have the source code tree and attempted to recompile. As I 
mentioned earlier the error is due to missing
files, like k5-int.h, adm.h.

>
> Did you compile krb5 yourself, or are you using the stuff from FC5?  
> If the former is the case, no problem.  If the latter is the case, you 
> will need to download the FC5 source RPM for kerberos, and do 
> something like:
>
>     create a temporary RPM root to build RPMs
>
>     rpm -ivh krb5-1.4.x.src.rpm
>
>     cd <rpmroot>/SPECS
>
>     rpmbuild -ba krb5.spec

Yep, I've done this.

>
>
> Then you will have an expanded source tree in <rpmroot>/BUILD which 
> you can use to compile the afs-krb5 stuff.  Note that you have to 
> actually perform the build in the krb5 directory, because some of the 
> files used by afs-krb5 require an actually built krb5.  (you can't 
> just download the Kerberos source code and untar it)
>
>
> Then download the afs-krb5 tar file.  It won't build properly against 
> recent OpenAFS and Kerberos so you will need some patches.  I have not 
> yet built afs-krb5 against krb5-1.4.x, so I don't know what changes 
> are necessary.
>
> However, here are the patches that I used to build afs-krb5 against 
> krb5-1.3.x and openafs-1.4.x:
>
>     http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.4.1-rc2/SOURCES/ 
>
>         afs-krb5-2.0-umich.patch
>         afs-krb5-2.0-kfdump.patch
>         afs-krb5-2.0-krb524.patch
>         afs-krb5-2.0-k5private.patch
>         afs-krb5-2.0-libsocket.patch
>         afs-krb5-2.0-warnings.patch
>         afs-krb5-2.0-betterka2dump.patch
>         afs-krb5-2.0-res_search.patch
>         afs-krb5-2.0-com_err.patch
>         afs-krb5-2.0-openafs1.3.patch
>         afs-krb5-2.0-noaklog.patch

I did not have these files. Thanks, for pointing to these files. I'll 
incorporate these
and see what's going to be the outcome.

>
> Download the patches and apply them in that order to the afs-krb5 
> source code.
>
> You need to have the header files and libraries that come with OpenAFS 
> for development purposes.  (probably in the openafs-devel RPM)
>
> You then need to build it as follows:
>
>     cd <afs-krb5 source code tree>
>
>     autoreconf
>
>     ./configure -prefix=/usr --with-krb5=/usr/kerberos \
>         --with-afs=/usr --with-umich

OK, I'll do.

>
> # where <rpmroot> is the RPM root where you built the krb5 stuff
> # (make sure that <rpmroot>/BUILD/krb5-1.4.x/include is actually the # 
> correct path to the include files, etc.)
>
>     make EXTRA_INC="-I<rpmroot>/BUILD/krb5-1.4.x/include 
> -I/usr/include/et"
>
>

I'll do.

> That probably assumes that you are using a 32-bit OS, because it will 
> look for the AFS libraries in /usr/lib not /usr/lib64.  If you are 
> using a 64-bit OS, you will need to do something different with 
> --with-afs.
>

I have a 32-bit.

> I use something similar to the above to build it on RHEL4, however I 
> always build afs-krb5 along with the rest of OpenAFS, so I have access 
> to the OpenAFS source code tree.
>
> If you build OpenAFS yourself (from RPM), then you can do:
>
>
>     ./configure -prefix=/usr --with-krb5=/usr/kerberos \
>         --with-afs=<afsrpmroot>/BUILD/xxx/<sysname>/dest --with-umich
>
> where <afsrpmroot> is the RPM root where you built OpenAFS, and the 
> files are built into BUILD/openafs-x.x.x/xxx/sysname/dest
>
> where sysname is probably i386_linux26 or amd64_linux26, etc.
>
>
>
>
> As you can see it is somewhat complicated.

I'll take this as a learning experience.

>
> If you want to go ahead and use afs-krb5, you may also find this 
> script useful:
>
>     http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.4.1-rc2/SOURCES/kas-kdb-merge.pl 
>
>
Yes, I'll go ahead and certainly, I'll use this.

>
> The afs2k5db program generates a krb5 dump record which is missing 
> 'last modified by' data.  This is because getting the information 
> requires more knowledge of the kaserver database than afs2k5db 
> implements.
>
> If you use that script, it will take the output of 'kas list -long' 
> and add back in the 'last modified by' data into the dump record.  
> This is mainly interesting if you have been running kaserver for a 
> long time and would like to preserve as much metadata as possible when 
> you convert to pure krb5.
>
>

Thanks for this info. Any little hints is always useful.

>
> But overall, if you don't have any actual production users in your 
> cell, or if you only have a few people and it wouldn't be a big deal 
> to just change their passwords, I would recommend skipping the 
> afs2k5db entirely and just regenerating the afs key from scratch.
>


Thanks again.


O Plameras