[OpenAFS] Migration from kaserver DB to Kerberos 5 DB with afs2k5db

Remi Ferrand remi.ferrand@cc.in2p3.fr
Fri, 10 Jul 2009 14:16:38 +0200


Hye

I'm trying to convert a kaserver.DB into Kerberos DB with afs2k5db
utility.
We're ruuning Kerberos 1.6.3 o our KDC, but for afs2k5db seems only
compatible with 1.2.x series I've used 1.2.7 from MIT Website (so this
is MIT Kerberos :)

I had afs-krb5.tar package from Grand Central AFS cell
(/afs/grand.central.org/software/afs-krb5/) and I've compiled it accross
MIT kerberos 1.2.7 and OpenAFS 1.4.10.

After modifying manually the Makefile compilation succeed for afs2k5db
(the unique tool i'm interested in from afs-krb5 archive) ( See
attachement for my modified Makefile )

First surprise, afs2k5db is not linked with any of my kerberos 5
library ::
ldd afs2k5db
        libresolv.so.2 =3D>        /lib/libresolv.so.2
        libsocket.so.1 =3D>        /lib/libsocket.so.1
        libnsl.so.1 =3D>   /lib/libnsl.so.1
        libc.so.1 =3D>     /lib/libc.so.1
        libmp.so.2 =3D>    /lib/libmp.so.2
        libmd.so.1 =3D>    /lib/libmd.so.1
        libscf.so.1 =3D>   /lib/libscf.so.1
        libdoor.so.1 =3D>  /lib/libdoor.so.1
        libuutil.so.1 =3D>         /lib/libuutil.so.1
        libgen.so.1 =3D>   /lib/libgen.so.1
        libm.so.2 =3D>     /lib/libm.so.2

So, maybe Kerberos5 code is statically linked into my binary (but i"m
doubtfull, no -static is present in Makefile)

I could use afs2k5db to dump my kaserver.DB0 ::
afs2k5db /PATH/TO/kaserver.DB0 > kaserver.out

I've deleted AuthServer/Admin, afs key, and ktgt lines manually.

I could import it successfully into my Kerberos 5 db with ::
kdb5_util load -update -verbose kaserver.out
[account listing]

I could do a getprinc on any of my old AFS credentials ::
kadmin.local -q "getprinc rferrand"
Authenticating as principal root/admin@TEST.IN2P3.FR with password.
Principal: rferrand@TEST.IN2P3.FR
Expiration date: Thu Dec 31 01:00:00 MET 2037
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: -24670 days -1:-8:-16
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Jul 10 10:25:23 MEST 2009 (rferrand@TEST.IN2P3.FR)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 0, DES cbc mode with CRC-32, AFS version 3
Attributes:
Policy: [none]

( Max ticket life time is bogus, but not the problem here )

But I can't use my accounts for passwords seem badly importated from
kasDB ::

 kinit rferrand
Password for rferrand@TEST.IN2P3.FR:=20
kinit(v5): Password incorrect while getting initial credentials

A capture with wireshark doesn't show any error (before I had
DECRYPT_INTEGRITY error, but not now anymore), krbtgt/CELL_NAME is sent
to my client, but nothing appear with a "klist"

My KDCs logs don't show anything unusual ::
Jul 10 13:59:17 cckrb01.in2p3.fr krb5kdc[17374](info): AS_REQ (7 etypes
{18 17 16 23 1 3 2}) 134.158.71.107(88): ISSUE: authtime 1247227157,
etypes {rep=3D1 tkt=3D16 ses=3D16}, rferrand@TEST.IN2P3.FR for
krbtgt/TEST.IN2P3.FR@TEST.IN2P3.FR

My krbtgt/TEST.IN2P3.FR principal is as this ::
root@cckrb01:/usr/local/krb5/var/krb5$ kadmin.local -q "getprinc
krbtgt/TEST.IN2P3.FR"
Authenticating as principal root/admin@TEST.IN2P3.FR with password.
Principal: krbtgt/TEST.IN2P3.FR@TEST.IN2P3.FR
[...]
Number of keys: 2
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]

And my Master Key for Kerberos V DB is ::
root@cckrb01:/usr/local/krb5/var/krb5$ kadmin.local -q "getprinc
K/M@TEST.IN2P3.FR"
Authenticating as principal root/admin@TEST.IN2P3.FR with password.
Principal: K/M@TEST.IN2P3.FR
[...]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes: DISALLOW_ALL_TIX
Policy: [none]

Simple DES is used...

My kdc.conf file ::
root@cckrb01:/usr/local/krb5/var/krb5$ cat /etc/krb5/kdc.conf
[kdcdefaults]
        kdc_ports =3D 750,88
        v4_mode =3D disable

[realms]
        TEST.IN2P3.FR =3D {
                master_key_type =3D des-cbc-crc
                supported_enctypes =3D aes256-cts:normal
des3-cbc-sha1:normal des3-hmac-sha1:normal des-cbc-crc:v4
des-cbc-crc:afs3 des-cbc-crc:normal

                database_name =3D /usr/local/krb5/var/krb5kdc/principal
                admin_keytab =3D
FILE:/usr/local/krb5/var/krb5kdc/kadm5.keytab
                acl_file =3D /etc/krb5/kadm5.acl
                key_stash_file
=3D /usr/local/krb5/var/krb5kdc/.k5.TEST.IN2P3.FR
                kdc_ports =3D 750,88
                max_life =3D 10h 0m 0s
                max_renewable_life =3D 7d 0h 0m 0s
        }

Everything is working, but the migration of users from kasDB to Krb5DB.

If anybody has any idea ...

Thanks
R=C3=A9mi


--=20
Remi Ferrand             | Institut National de Physique Nucleaire
Tel. +33(0)4.78.93.08.80 |     et de Physique des Particules
Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/

#########################################################################=
##########
#########################################################################=
##########
#########################################################################=
##########
#########################################################################=
##########
[afs2k5db Makefile]
#
# $Id: Makefile.in,v 1.12 2003/03/17 01:13:34 kenh Exp $
#
# This is the Makefile for the AFS-Kerberos 5 Migration Kit.  See the
# directions below for the meaning of each flag.
#

#
# Support obj directories
#

srcdir =3D .


# Your C compiler.  Salt to taste
CC=3Dcc

# Optimizer, debug flags
OPT=3D-g -I/usr/local/krb5-1.2.7/include

# Defines to add to the command line
DEFS=3D-DPACKAGE_NAME=3D\"afs-krb5\" -DPACKAGE_TARNAME=3D\"afs-krb5\"
-DPACKAGE_VERSION=3D\"1.4\" -DPACKAGE_STRING=3D\"afs-krb5\ 1.4\"
-DPACKAGE_BUGREPORT=3D\"kenh@cmf.nrl.navy.mil\" -DAFS=3D1 -DAFS_INT32=3D1
-DAFS_TRY_FULL_PRINC=3D1 -DHAVE_DAEMON=3D1 -DSTDC_HEADERS=3D1
-DHAVE_SYS_TYPES_H=3D1 -DHAVE_SYS_STAT_H=3D1 -DHAVE_STDLIB_H=3D1
-DHAVE_STRING_H=3D1 -DHAVE_MEMORY_H=3D1 -DHAVE_STRINGS_H=3D1
-DHAVE_INTTYPES_H=3D1 -DHAVE_STDINT_H=3D1 -DHAVE_UNISTD_H=3D1
-DHAVE_UNISTD_H=3D1 -DHAVE_STDLIB_H=3D1 -DHAVE_MEMORY_H=3D1 -DHAVE_MALLOC=
_H=3D1
-DHAVE_STRERROR=3D1 -DRETSIGTYPE=3Dvoid  -DALLOW_REGISTER

# Include files
INCLUDE=3D -I/root/krb_src/krb5-1.2.7/src/include
-I/usr/local/openafs/include
-I/root/krb_src/krb5-1.2.7/src/include/krb5/stock
-I/root/krb_src/krb5-1.2.7/src/include/krb5
-I/root/krb_src/krb5-1.2.7/src/mac/libraries

# root/krb_src/krb5-1.2.7/src/mac/libraries =3D> autoconf.h
# /root/krb_src/krb5-1.2.7/src/include/krb5 =3D> kdb.h
# /root/krb_src/krb5-1.2.7/src/include/krb5/stock =3D> osconf.h
# /usr/local/openafs/include =3D> OpenAFS headers (/usr/local/openafs <=3D=
>
build directory)
# /root/krb_src/krb5-1.2.7/src/include =3D> Kerberos 5 headers from sourc=
e
directory



# "Extra" include files
EXTRA_INC=3D -I/root/krb_src/krb5-1.2.7/include
-I/root/krb_src/krb5-1.2.7/include/krb5 -I/usr/local/krb5/include
-I/usr/local/krb5/include/krb5

# Extra library objects (for fakeka)
LIBOBJS=3D

# Extra objects for aklog
AKLOG_EXTRA_OBJ=3Dadderrtable.o

# Library files
#LIBS=3D -L/usr/local/krb5-1.2.7/lib -R/usr/local/krb5-1.2.7/lib -lkrb5
-lk5crypto -lcom_err -lresolv -lsocket -lnsl
LIBS=3D-L/usr/local/krb5-1.2.7/lib -R/usr/local/krb5-1.2.7/lib -lkadm5srv
-lkdb5 -ldb -lgssrpc -ldyn -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err
-lgen

# AFS libraries
AFSLIBS=3D-L/usr/local/openafs/lib -L/usr/local/openafs/lib/afs -lsys
-lprot -lubik -lauth -lrxkad -lrx -llwp -ldes
-lsys /usr/local/openafs/lib/afs/util.a

# Network libraries
NETLIBS=3D

# Location of the 5-2-4 library
KRB524LIB=3D-lkrb524

# CFLAGS to use for KDB/Kadm5 applications
KDB_CFLAGS=3D-I/usr/local/krb5-1.2.7/include

# Libraries to use when linking in a KDB/Kadm5 application
KDB_LIBS=3D-L/usr/local/krb5-1.2.7/lib -R/usr/local/krb5-1.2.7/lib
-lkadm5srv -lkdb5 -lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err
-lresolv -lsocket -lnsl

# Extra libraries for fakeka
FAKEKA_LIBS=3D-ldes425

# Install program and target installation directories
INSTALL=3D./install-sh -c

prefix=3D/usr/local/krb5
INSTALL_BIN=3D$(prefix)/bin
INSTALL_SBIN=3D$(prefix)/sbin

PROGS=3Dafs2k5db keyfile_dump
CFLAGS=3D$(OPT) $(INCLUDE) $(DEFS)

AKLOG_OBJS=3Daklog.o aklog_main.o aklog_param.o krb_util.o linked_list.o
$(AKLOG_EXTRA_OBJ)

all: $(PROGS)

clean:
        rm -f $(PROGS) afs2k5db.o asetkey.o $(AKLOG_OBJS) fakeka.o
ka-forwarder.o keyfile_dump.o k5dbsubs.o $(LIBOBJS)

distclean: clean
        rm -f config.cache config.log config.status Makefile

afs2k5db: afs2k5db.o k5dbsubs.o
        $(CC) -o $@ afs2k5db.o k5dbsubs.o $(KDB_LIBS)

afs2k5db.o: afs2k5db.c
        $(CC) -c $(CFLAGS) $(EXTRA_INC) $<
[...]
install: $(PROGS)
        $(INSTALL) -s aklog $(DESTDIR)$(INSTALL_BIN)
        $(INSTALL) -s afs2k5db asetkey fakeka ka-forwarder
$(DESTDIR)$(INSTALL_SBIN)