[OpenAFS] Migration from kaserver DB to Kerberos 5 DB with afs2k5db
Remi Ferrand
remi.ferrand@cc.in2p3.fr
Fri, 10 Jul 2009 14:16:38 +0200
Hye
I'm trying to convert a kaserver.DB into Kerberos DB with afs2k5db
utility.
We're ruuning Kerberos 1.6.3 o our KDC, but for afs2k5db seems only
compatible with 1.2.x series I've used 1.2.7 from MIT Website (so this
is MIT Kerberos :)
I had afs-krb5.tar package from Grand Central AFS cell
(/afs/grand.central.org/software/afs-krb5/) and I've compiled it accross
MIT kerberos 1.2.7 and OpenAFS 1.4.10.
After modifying manually the Makefile compilation succeed for afs2k5db
(the unique tool i'm interested in from afs-krb5 archive) ( See
attachement for my modified Makefile )
First surprise, afs2k5db is not linked with any of my kerberos 5
library ::
ldd afs2k5db
libresolv.so.2 =3D> /lib/libresolv.so.2
libsocket.so.1 =3D> /lib/libsocket.so.1
libnsl.so.1 =3D> /lib/libnsl.so.1
libc.so.1 =3D> /lib/libc.so.1
libmp.so.2 =3D> /lib/libmp.so.2
libmd.so.1 =3D> /lib/libmd.so.1
libscf.so.1 =3D> /lib/libscf.so.1
libdoor.so.1 =3D> /lib/libdoor.so.1
libuutil.so.1 =3D> /lib/libuutil.so.1
libgen.so.1 =3D> /lib/libgen.so.1
libm.so.2 =3D> /lib/libm.so.2
So, maybe Kerberos5 code is statically linked into my binary (but i"m
doubtfull, no -static is present in Makefile)
I could use afs2k5db to dump my kaserver.DB0 ::
afs2k5db /PATH/TO/kaserver.DB0 > kaserver.out
I've deleted AuthServer/Admin, afs key, and ktgt lines manually.
I could import it successfully into my Kerberos 5 db with ::
kdb5_util load -update -verbose kaserver.out
[account listing]
I could do a getprinc on any of my old AFS credentials ::
kadmin.local -q "getprinc rferrand"
Authenticating as principal root/admin@TEST.IN2P3.FR with password.
Principal: rferrand@TEST.IN2P3.FR
Expiration date: Thu Dec 31 01:00:00 MET 2037
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: -24670 days -1:-8:-16
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Jul 10 10:25:23 MEST 2009 (rferrand@TEST.IN2P3.FR)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 0, DES cbc mode with CRC-32, AFS version 3
Attributes:
Policy: [none]
( Max ticket life time is bogus, but not the problem here )
But I can't use my accounts for passwords seem badly importated from
kasDB ::
kinit rferrand
Password for rferrand@TEST.IN2P3.FR:=20
kinit(v5): Password incorrect while getting initial credentials
A capture with wireshark doesn't show any error (before I had
DECRYPT_INTEGRITY error, but not now anymore), krbtgt/CELL_NAME is sent
to my client, but nothing appear with a "klist"
My KDCs logs don't show anything unusual ::
Jul 10 13:59:17 cckrb01.in2p3.fr krb5kdc[17374](info): AS_REQ (7 etypes
{18 17 16 23 1 3 2}) 134.158.71.107(88): ISSUE: authtime 1247227157,
etypes {rep=3D1 tkt=3D16 ses=3D16}, rferrand@TEST.IN2P3.FR for
krbtgt/TEST.IN2P3.FR@TEST.IN2P3.FR
My krbtgt/TEST.IN2P3.FR principal is as this ::
root@cckrb01:/usr/local/krb5/var/krb5$ kadmin.local -q "getprinc
krbtgt/TEST.IN2P3.FR"
Authenticating as principal root/admin@TEST.IN2P3.FR with password.
Principal: krbtgt/TEST.IN2P3.FR@TEST.IN2P3.FR
[...]
Number of keys: 2
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]
And my Master Key for Kerberos V DB is ::
root@cckrb01:/usr/local/krb5/var/krb5$ kadmin.local -q "getprinc
K/M@TEST.IN2P3.FR"
Authenticating as principal root/admin@TEST.IN2P3.FR with password.
Principal: K/M@TEST.IN2P3.FR
[...]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes: DISALLOW_ALL_TIX
Policy: [none]
Simple DES is used...
My kdc.conf file ::
root@cckrb01:/usr/local/krb5/var/krb5$ cat /etc/krb5/kdc.conf
[kdcdefaults]
kdc_ports =3D 750,88
v4_mode =3D disable
[realms]
TEST.IN2P3.FR =3D {
master_key_type =3D des-cbc-crc
supported_enctypes =3D aes256-cts:normal
des3-cbc-sha1:normal des3-hmac-sha1:normal des-cbc-crc:v4
des-cbc-crc:afs3 des-cbc-crc:normal
database_name =3D /usr/local/krb5/var/krb5kdc/principal
admin_keytab =3D
FILE:/usr/local/krb5/var/krb5kdc/kadm5.keytab
acl_file =3D /etc/krb5/kadm5.acl
key_stash_file
=3D /usr/local/krb5/var/krb5kdc/.k5.TEST.IN2P3.FR
kdc_ports =3D 750,88
max_life =3D 10h 0m 0s
max_renewable_life =3D 7d 0h 0m 0s
}
Everything is working, but the migration of users from kasDB to Krb5DB.
If anybody has any idea ...
Thanks
R=C3=A9mi
--=20
Remi Ferrand | Institut National de Physique Nucleaire
Tel. +33(0)4.78.93.08.80 | et de Physique des Particules
Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/
#########################################################################=
##########
#########################################################################=
##########
#########################################################################=
##########
#########################################################################=
##########
[afs2k5db Makefile]
#
# $Id: Makefile.in,v 1.12 2003/03/17 01:13:34 kenh Exp $
#
# This is the Makefile for the AFS-Kerberos 5 Migration Kit. See the
# directions below for the meaning of each flag.
#
#
# Support obj directories
#
srcdir =3D .
# Your C compiler. Salt to taste
CC=3Dcc
# Optimizer, debug flags
OPT=3D-g -I/usr/local/krb5-1.2.7/include
# Defines to add to the command line
DEFS=3D-DPACKAGE_NAME=3D\"afs-krb5\" -DPACKAGE_TARNAME=3D\"afs-krb5\"
-DPACKAGE_VERSION=3D\"1.4\" -DPACKAGE_STRING=3D\"afs-krb5\ 1.4\"
-DPACKAGE_BUGREPORT=3D\"kenh@cmf.nrl.navy.mil\" -DAFS=3D1 -DAFS_INT32=3D1
-DAFS_TRY_FULL_PRINC=3D1 -DHAVE_DAEMON=3D1 -DSTDC_HEADERS=3D1
-DHAVE_SYS_TYPES_H=3D1 -DHAVE_SYS_STAT_H=3D1 -DHAVE_STDLIB_H=3D1
-DHAVE_STRING_H=3D1 -DHAVE_MEMORY_H=3D1 -DHAVE_STRINGS_H=3D1
-DHAVE_INTTYPES_H=3D1 -DHAVE_STDINT_H=3D1 -DHAVE_UNISTD_H=3D1
-DHAVE_UNISTD_H=3D1 -DHAVE_STDLIB_H=3D1 -DHAVE_MEMORY_H=3D1 -DHAVE_MALLOC=
_H=3D1
-DHAVE_STRERROR=3D1 -DRETSIGTYPE=3Dvoid -DALLOW_REGISTER
# Include files
INCLUDE=3D -I/root/krb_src/krb5-1.2.7/src/include
-I/usr/local/openafs/include
-I/root/krb_src/krb5-1.2.7/src/include/krb5/stock
-I/root/krb_src/krb5-1.2.7/src/include/krb5
-I/root/krb_src/krb5-1.2.7/src/mac/libraries
# root/krb_src/krb5-1.2.7/src/mac/libraries =3D> autoconf.h
# /root/krb_src/krb5-1.2.7/src/include/krb5 =3D> kdb.h
# /root/krb_src/krb5-1.2.7/src/include/krb5/stock =3D> osconf.h
# /usr/local/openafs/include =3D> OpenAFS headers (/usr/local/openafs <=3D=
>
build directory)
# /root/krb_src/krb5-1.2.7/src/include =3D> Kerberos 5 headers from sourc=
e
directory
# "Extra" include files
EXTRA_INC=3D -I/root/krb_src/krb5-1.2.7/include
-I/root/krb_src/krb5-1.2.7/include/krb5 -I/usr/local/krb5/include
-I/usr/local/krb5/include/krb5
# Extra library objects (for fakeka)
LIBOBJS=3D
# Extra objects for aklog
AKLOG_EXTRA_OBJ=3Dadderrtable.o
# Library files
#LIBS=3D -L/usr/local/krb5-1.2.7/lib -R/usr/local/krb5-1.2.7/lib -lkrb5
-lk5crypto -lcom_err -lresolv -lsocket -lnsl
LIBS=3D-L/usr/local/krb5-1.2.7/lib -R/usr/local/krb5-1.2.7/lib -lkadm5srv
-lkdb5 -ldb -lgssrpc -ldyn -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err
-lgen
# AFS libraries
AFSLIBS=3D-L/usr/local/openafs/lib -L/usr/local/openafs/lib/afs -lsys
-lprot -lubik -lauth -lrxkad -lrx -llwp -ldes
-lsys /usr/local/openafs/lib/afs/util.a
# Network libraries
NETLIBS=3D
# Location of the 5-2-4 library
KRB524LIB=3D-lkrb524
# CFLAGS to use for KDB/Kadm5 applications
KDB_CFLAGS=3D-I/usr/local/krb5-1.2.7/include
# Libraries to use when linking in a KDB/Kadm5 application
KDB_LIBS=3D-L/usr/local/krb5-1.2.7/lib -R/usr/local/krb5-1.2.7/lib
-lkadm5srv -lkdb5 -lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err
-lresolv -lsocket -lnsl
# Extra libraries for fakeka
FAKEKA_LIBS=3D-ldes425
# Install program and target installation directories
INSTALL=3D./install-sh -c
prefix=3D/usr/local/krb5
INSTALL_BIN=3D$(prefix)/bin
INSTALL_SBIN=3D$(prefix)/sbin
PROGS=3Dafs2k5db keyfile_dump
CFLAGS=3D$(OPT) $(INCLUDE) $(DEFS)
AKLOG_OBJS=3Daklog.o aklog_main.o aklog_param.o krb_util.o linked_list.o
$(AKLOG_EXTRA_OBJ)
all: $(PROGS)
clean:
rm -f $(PROGS) afs2k5db.o asetkey.o $(AKLOG_OBJS) fakeka.o
ka-forwarder.o keyfile_dump.o k5dbsubs.o $(LIBOBJS)
distclean: clean
rm -f config.cache config.log config.status Makefile
afs2k5db: afs2k5db.o k5dbsubs.o
$(CC) -o $@ afs2k5db.o k5dbsubs.o $(KDB_LIBS)
afs2k5db.o: afs2k5db.c
$(CC) -c $(CFLAGS) $(EXTRA_INC) $<
[...]
install: $(PROGS)
$(INSTALL) -s aklog $(DESTDIR)$(INSTALL_BIN)
$(INSTALL) -s afs2k5db asetkey fakeka ka-forwarder
$(DESTDIR)$(INSTALL_SBIN)