[OpenAFS] KA server to MIT KRB5 migration issues
Gedaliah Wolosh
gwolosh@njit.edu
Fri, 7 Nov 2008 12:19:22 -0500 (EST)
Folks,
I am testing the cutover of AFS kaserver to MIT Kerberos5.
The test cell to be cut over is named "ucs.njit.edu". This cell is set up
to mimic the existing production cell, which has about 12,000 active
AFS accounts.
The goal is to have cell ucs.njit.edu authenticate to realm NJIT.EDU
without having the 12,000 users change passwords. There are 2 questions
that I would like to ask :
I am running 3 KDCs using the MIT distribution that comes with RHEL4: 1.3.4.
I built afs2k5db, and am using the fakeka I got from a distribution built
by Chris Wing at:
http://www-personal.umich.edu/~wingc/openafs/dist/1.4.1-rc2/RPMS/x86_64/openafs-server-krb5-1.4.1rc2-rhel4.0.x86_64.rpm
(BTW, the afs2k5db in the distribution above didn't work.)
The AFS cell ucs.njit.edu consists of 3 DB servers and 1 fileserver,
running version 1.4.7 on Solaris 10.
I.
The first scenario I tested had the _same_ test cell name and KDC realm name.
I created the principal afs/ucs.njit.edu. I migrated a user using
afs2k5db. Kinit and aklog work with no problems and no password change needed.
I started ka-forwarder on the DB servers (afsdb1.njit.edu, afsdb2.njit.edu,
afsdb3.njit.edu) and fakeka on the KDCs. Klog did not work:
$ klog afsuser
Password:
Unable to authenticate to AFS because user doesn't exist.
However on a KDC:
# /usr/afs/bin/fakeka -d -f afsdb1.njit.edu -f afsdb2.njit.edu -f afsdb3.njit.edu
Handling Authenticate request
Authenticating afsuser.
Handling GetTicket request
Cell is UCS.NJIT.EDU
Request for afs/
ticket: afsuser.@ for krbtgt.UCS.NJIT.EDU
From /var/log/messages :
Nov 5 14:20:29 fakeka[25998]: authenticate: afsuser. from 128.235.xxx.xx
Nov 5 14:20:29 fakeka[25998]: principal afs. does not exist
Nov 5 14:20:29 fakeka[25998]: getticket: afsuser. from 128.235.xxx.xx for afs.
Nov 5 14:20:29 fakeka[25998]: ... failed due to principal does not exist
It seems that fakeka is trying to get a ticket for afs@UCS.NJIT.EDU and not
afs/ucs.njit.edu@UCS.NJIT.EDU.
I deleted the afs/ucs.njit.edu principal and created an afs principal. I
generated and distributed new KeyFiles. Klog then worked.
This is no big deal but the recommended instructions are to use the
afs/cellname principal. Did I make a mistake here somewhere? When the cell name
is the same as the realm name should klog work if the kerberos principal is
afs/cellname?
II.
The second scenario is having cell ucs.njit.edu authenticate to REALM NJIT.EDU -
i.e., _different_ cell name and realm name.
I migrated a user using "afs2k5db -r UCS.NJIT.EDU". I noticed that when a
principal is migrated over, the principal has only 1 key, des-cbc-crc:afs3
When I tried to kinit:
kinit(v5): Password incorrect while getting initial credentials
From /var/log/krb5kdc.log on the KDC:
Nov 06 14:04:15 kdc.njit.edu krb5kdc[30121](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 128.235.206.97: ISSUE: authtime 1225998255, etypes {rep=1 tkt=23
ses=16}, afsuser@NJIT.EDU for krbtgt/NJIT.EDU@NJIT.EDU
Nov 06 14:04:15 kdc.njit.edu krb5kdc[30121](info): AS_REQ (7 etypes {18 17
16 23 1 3 2}) 128.235.206.97: ISSUE: authtime 1225998255, etypes {rep=1 tkt=23
ses=16}, afsuser@NJIT.EDU for krbtgt/NJIT.EDU@NJIT.EDU
It looks like the KDC authenticated the user. I'm not sure what is going on
here.
Based on Russ Allbery's post to krbdev, :
http://mailman.mit.edu/pipermail/krb5-bugs/2008-May/006604.html
it appears afs3 salts don't work. I changed to user's password to generate new
keys, and then kinit, aklog and klog all work.
Is there any way to migrate users from a KA database and authenticate to a KRB5
realm with a different name and NOT have every user change their password?
Sorry for the long post.
Gedaliah Wolosh
University Computing Systems - IST
New Jersey Institute of Technology