[OpenAFS] Migration from kaserver to krb5.
Wed, 12 Apr 2006 08:43:05 +1000
Christopher Allen Wing wrote:
> On Tue, 11 Apr 2006, O Plameras wrote:
>> I have running servers with OpenAFS-1.4.1 on FC5 using kaserver.
>> I have used clients running OpenAFS on FC4/Win2000 and
>> OpenAFS-1.4.1rc10 on FC5.
>> This setup is working without any problem so far.
> Do you have any actual users in your AFS cell yet? Or did you just
> set it up with kaserver for testing purposes?
> If you don't yet have any user accounts / passwords, it's probably
> easiest not to bother with the kaserver conversion, but instead, just
> create new principals in the k5 database and reset the afs key.
I have only half-dozen users. Yes, I created new principals in the k5
DB and reset afs key.
>> I want to convert from kaserver to krb5.
>> I installed and tested krb5-1.4.3 KDC. This works.
>> Then I did these.
>> [oscarp@toshiba]$kinit admin/admin
>> [oscarp@toshiba]$aklog example.com.ex -k EXAMPLE.COM.EX
>> Tokens held by the Cache Manager:
>> User's (AFS ID 1) tokens for firstname.lastname@example.org [Expires Apr 11 22:04]
>> --End of list--
> Did you create a new 'afs' principal in the K5 database?
Yes, I did. This is how I did it.
#kadmin.local -e des-cbc-crc:v4 <<EOF
addprinc -randkey afs/example.com.ex
ktadd -k KeyFile afs/example.com.ex
#set `klist -k KeyFile | tail -1`
#asetkey add $1 KeyFile afs/example.com.ex
After this, I can do this because I have user
admin in k5.
The problem is after this I can't
#vos listvol toshiba.example.com.ex
In the AFS_K5_NAME_CHANGE it says to the effect that
I have to run afs2k5db and that's where I have compile errors
in attempting to compile using FC5 source rpm. The specific
errors amongst others say, files are missing, like:
I search the source codes of openafs-1.4.1rc10 but are not found
there. I noticed they are in openafs-1.3.8.
>> It is my understanding that I need to run afs2k5db on kaserver.DBO
>> and use the output to update krb5 keys.
> You only need to do this if you have users and passwords which you
> care about preserving. Otherwise, it's probably simpler to recreate
> the principals in the K5 database, and create a new
> 'afs/cell.name@REALM.NAME' key.
OK, I got this. I am able to create principals in K5 to aklog
successfully. The problem after this
is I can't do AFS maintenance commands like #vos listvol <server>, etc.
I have about 500Gbytes and for this reason I can't reset my DB.
>> My problem is I can't compile afs2k5db.
> You need to have the source code tree to the version of Kerberos which
> you are running. This can be a pain.
Yes, I have the source code tree and attempted to recompile. As I
mentioned earlier the error is due to missing
files, like k5-int.h, adm.h.
> Did you compile krb5 yourself, or are you using the stuff from FC5?
> If the former is the case, no problem. If the latter is the case, you
> will need to download the FC5 source RPM for kerberos, and do
> something like:
> create a temporary RPM root to build RPMs
> rpm -ivh krb5-1.4.x.src.rpm
> cd <rpmroot>/SPECS
> rpmbuild -ba krb5.spec
Yep, I've done this.
> Then you will have an expanded source tree in <rpmroot>/BUILD which
> you can use to compile the afs-krb5 stuff. Note that you have to
> actually perform the build in the krb5 directory, because some of the
> files used by afs-krb5 require an actually built krb5. (you can't
> just download the Kerberos source code and untar it)
> Then download the afs-krb5 tar file. It won't build properly against
> recent OpenAFS and Kerberos so you will need some patches. I have not
> yet built afs-krb5 against krb5-1.4.x, so I don't know what changes
> are necessary.
> However, here are the patches that I used to build afs-krb5 against
> krb5-1.3.x and openafs-1.4.x:
I did not have these files. Thanks, for pointing to these files. I'll
and see what's going to be the outcome.
> Download the patches and apply them in that order to the afs-krb5
> source code.
> You need to have the header files and libraries that come with OpenAFS
> for development purposes. (probably in the openafs-devel RPM)
> You then need to build it as follows:
> cd <afs-krb5 source code tree>
> ./configure -prefix=/usr --with-krb5=/usr/kerberos \
> --with-afs=/usr --with-umich
OK, I'll do.
> # where <rpmroot> is the RPM root where you built the krb5 stuff
> # (make sure that <rpmroot>/BUILD/krb5-1.4.x/include is actually the #
> correct path to the include files, etc.)
> make EXTRA_INC="-I<rpmroot>/BUILD/krb5-1.4.x/include
> That probably assumes that you are using a 32-bit OS, because it will
> look for the AFS libraries in /usr/lib not /usr/lib64. If you are
> using a 64-bit OS, you will need to do something different with
I have a 32-bit.
> I use something similar to the above to build it on RHEL4, however I
> always build afs-krb5 along with the rest of OpenAFS, so I have access
> to the OpenAFS source code tree.
> If you build OpenAFS yourself (from RPM), then you can do:
> ./configure -prefix=/usr --with-krb5=/usr/kerberos \
> --with-afs=<afsrpmroot>/BUILD/xxx/<sysname>/dest --with-umich
> where <afsrpmroot> is the RPM root where you built OpenAFS, and the
> files are built into BUILD/openafs-x.x.x/xxx/sysname/dest
> where sysname is probably i386_linux26 or amd64_linux26, etc.
> As you can see it is somewhat complicated.
I'll take this as a learning experience.
> If you want to go ahead and use afs-krb5, you may also find this
> script useful:
Yes, I'll go ahead and certainly, I'll use this.
> The afs2k5db program generates a krb5 dump record which is missing
> 'last modified by' data. This is because getting the information
> requires more knowledge of the kaserver database than afs2k5db
> If you use that script, it will take the output of 'kas list -long'
> and add back in the 'last modified by' data into the dump record.
> This is mainly interesting if you have been running kaserver for a
> long time and would like to preserve as much metadata as possible when
> you convert to pure krb5.
Thanks for this info. Any little hints is always useful.
> But overall, if you don't have any actual production users in your
> cell, or if you only have a few people and it wouldn't be a big deal
> to just change their passwords, I would recommend skipping the
> afs2k5db entirely and just regenerating the afs key from scratch.