[OpenAFS] Migration from kaserver DB to Kerberos 5 DB with afs2k5db
Remi Ferrand
remi.ferrand@cc.in2p3.fr
Mon, 13 Jul 2009 20:33:07 +0200
Hye everybody,
First of all, thanks for your answers ;-)
After modifying just few lines of the migration kit, I finally got what=20
I wanted :
- a migration kit compiled with MIT Kerberos 1.6.3 release
- OpenAFS 1.4.10
- a working executable (compilation works, but everything else also !!)
Before giving you my few modifications, I need you little explanation :
- MIT Kerberos 1.6.3 / OpenAFS 1.4.10
- Migration kit sources obtained from=20
/afs/grand.central.org/software/afs-krb5/
- Operating system is Solaris 10 (also tested on Debian which is my=20
development platform)
- MIT Kerberos 1.6.3 is installed in /usr/local/krb5
- MIT Kerberos sources are in /root/krb_src/krb5-1.6.3
- OpenAFS 1.4.10 build (obtained with the "make test" target) is in=20
/root/openafs_src/openafs-1.4.10/sunx86_510
My patch is as simple as this ::
[patch_ccin2p3]
--- afs2k5db.c.orig Sat Jul 11 18:46:01 2009
+++ afs2k5db.c Mon Jul 13 11:20:40 2009
@@ -29,10 +29,10 @@
#endif
#include <errno.h>
=20
+#include <k5-int.h>
#include <krb5.h>
#include <com_err.h>
=20
-#include <k5-int.h>
#include <adm.h>
#include <adm_proto.h>
=20
@@ -207,8 +207,7 @@
* This is way more complicated than it needs to be! Argh.
*/
=20
- if ((retval =3D krb5_read_realm_params(convert_context, NULL,
- NULL, NULL, &rparams))) {
+ if ((retval =3D krb5_read_realm_params(convert_context, NULL,=20
&rparams))) {
com_err(argv[0], retval, "While reading realm parameters"=
);
exit(1);
}
--- k5dbsubs.c.orig Mon Jul 13 11:53:44 2009
+++ k5dbsubs.c Sat Jul 11 18:58:46 2009
@@ -26,10 +26,11 @@
#endif
#include <errno.h>
=20
+#include <k5-int.h>
#include <krb5.h>
#include <com_err.h>
=20
-#include <k5-int.h>
+#include <kdb.h>
=20
#include <afs/kauth.h>
=20
@@ -48,6 +49,8 @@
* Output one record in the format used by the database dump file
*/
=20
+krb5_key_data *key_data;
+
void
db_entry_output(FILE *f, krb5_context convert_context, char *user,
char *instance, char *realm, int kvno,
--- configure.orig Mon Mar 17 01:49:24 2003
+++ configure Mon Jul 13 12:07:03 2009
@@ -2327,9 +2327,9 @@
echo "$as_me:$LINENO: result: Setting KADM_LIBS to $krb5_libs_kadm" >&5
echo "${ECHO_T}Setting KADM_LIBS to $krb5_libs_kadm" >&6
CFLAGS=3D"$CFLAGS $krb5_cflags"
-LIBS=3D"$LIBS $krb5_libs"
+LIBS=3D"$LIBS $krb5_libs -lkrb5support"
KADM_CFLAGS=3D"$krb5_cflags_kadm"
-KADM_LIBS=3D"$krb5_libs_kadm"
+KADM_LIBS=3D"$krb5_libs_kadm -lkrb5support"
=20
echo "$as_me:$LINENO: checking for socket" >&5
echo $ECHO_N "checking for socket... $ECHO_C" >&6
@@ -48,6 +49,8 @@
* Output one record in the format used by the database dump file
*/
+krb5_key_data *key_data;
+
void
db_entry_output(FILE *f, krb5_context convert_context, char *user,
char *instance, char *realm, int kvno,
--- configure.orig Mon Mar 17 01:49:24 2003
+++ configure Mon Jul 13 12:07:03 2009
@@ -2327,9 +2327,9 @@
echo "$as_me:$LINENO: result: Setting KADM_LIBS to $krb5_libs_kadm" >&5
echo "${ECHO_T}Setting KADM_LIBS to $krb5_libs_kadm" >&6
CFLAGS=3D"$CFLAGS $krb5_cflags"
-LIBS=3D"$LIBS $krb5_libs"
+LIBS=3D"$LIBS $krb5_libs -lkrb5support"
KADM_CFLAGS=3D"$krb5_cflags_kadm"
-KADM_LIBS=3D"$krb5_libs_kadm"
+KADM_LIBS=3D"$krb5_libs_kadm -lkrb5support"
echo "$as_me:$LINENO: checking for socket" >&5
echo $ECHO_N "checking for socket... $ECHO_C" >&6
Remark :
1. As you can see, "configure" script as been directly modified. This is=20
not very recommended, but my production machine doesn't have autoconf ...
2. On my Debian O.S adding flag for libkrb5support.so, and so modifying=20
configure script isn't needed, but Solaris complains about this so I had=20
to add it explicitly.
3. This "patch" if we can say it, hasn't been created to be "perfect"=20
and a final version, but just to make the whole thing working and for=20
me, it did the trick.
[ Compilation steps ]
cd ${PATH_TO_AFS-KRB5-MIGRATION-KIT}/src
export CFLAGS=3D"-I/root/krb_src/krb5-1.6.3/src/include=20
-I/root/openafs_src/openafs-1.4.10/sunx86_510/dest/include"
./configure --with-krb5-config=3D/usr/local/krb5/bin/krb5-config
make
At this step, make will fail on asetkey binary, but whatever, asetkey in=20
now part of the OpenAFS source code, and our "afs2krb5" binary has been=20
build without any error.
I wanted to check that my binary was linked to any Kerberos 5 library=20
(it MUST be linked to any), for last time compilation succeeds but my=20
binary was bogus and not linked to any Krb5 library.
[ldd afs2k5db]
libkadm5srv.so.5 =3D> /usr/local/krb5-1.6.3/lib/libkadm5srv.=
so.5
libkdb5.so.4 =3D> /usr/local/krb5-1.6.3/lib/libkdb5.so.4
libgssrpc.so.4 =3D> /usr/local/krb5-1.6.3/lib/libgssrpc.so=
.4
libgssapi_krb5.so.2 =3D> =20
/usr/local/krb5-1.6.3/lib/libgssapi_krb5.so.2
libkrb5.so.3 =3D> /usr/local/krb5-1.6.3/lib/libkrb5.so.3
libk5crypto.so.3 =3D> /usr/local/krb5-1.6.3/lib/libk5crypto.=
so.3
libcom_err.so.3 =3D> /usr/local/krb5-1.6.3/lib/libcom_err.s=
o.3
libresolv.so.2 =3D> /lib/libresolv.so.2
libsocket.so.1 =3D> /lib/libsocket.so.1
libnsl.so.1 =3D> /lib/libnsl.so.1
libkrb5support.so.0 =3D> =20
/usr/local/krb5-1.6.3/lib/libkrb5support.so.0
libc.so.1 =3D> /lib/libc.so.1
libmp.so.2 =3D> /lib/libmp.so.2
libmd.so.1 =3D> /lib/libmd.so.1
libscf.so.1 =3D> /lib/libscf.so.1
libdoor.so.1 =3D> /lib/libdoor.so.1
libuutil.so.1 =3D> /lib/libuutil.so.1
libgen.so.1 =3D> /lib/libgen.so.1
libm.so.2 =3D> /lib/libm.so.2
Ok, everything seems good.
It seems ok to me, now I hope that it could help anybody who encounter=20
trouble with his AFS/Kerberos 5 migration ;-)
Thanks again for those who took some time to answer me
Cheers
Remi Ferrand | Institut National de Physique Nucleaire
Tel. +33(0)4.78.93.08.80 | et de Physique des Particules
Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/
rader@hep.wisc.edu a =E9crit :
> Try building afs2k5db like below. If that works for ya, then
> mention it to the list. If that doesn't work for ya, then try
> following these directions exactly:
>
> http://cf.ccmr.cornell.edu/publicdownloads/afs/ReadMe-to_krb5.html
>
> steve
> --
>
> ** notes from building afs2k5db on SL/RHEL44 **
>
> ## install openafs (1.4.7) headers...
> sudo yum install openafs-devel
>
> ## build krb5 in /usr/local/src/krb5-1.3.6
> untar
> ./configure --without-tcl
> make
> cp ./util/et/com_err.h include # cruft, not necessary?
> cp ./include/krb5/stock/osconf.h include # cruft, not necessary?
>
>
> ## make afs2k5db in /usr/local/src/afs-krb5
> untar
> ./configure --with-krb5-src=3D/usr/local/src/krb5-1.3.6/src \
> --with-krb5-config=3D/usr/local/src/krb5-1.3.6/src/krb5-config \
> CFLAGS=3D"-m32 -L/usr/local/src/krb5-1.3.6/src/lib" \
> LDFLAGS=3D"-m32 -L/usr/local/src/krb5-1.3.6/src/lib"
> cd /usr/local/src/krb5-1.3.6/src/include
> vi k5-int.h
> #if 0 #endif around struct _krb5_rc_ops { }
> make afs2k5db
> sudo cp afs2k5db /usr/sbin/afs2k5db
>
>
> (use aklog and asetkey from modern openafs build)
>
>
> > ---- Original Message ----
> > From: Remi Ferrand <remi.ferrand@cc.in2p3.fr>
> > Hye
> >=20
> > I'm trying to convert a kaserver.DB into Kerberos DB with afs2k5db
> > utility.
> > We're ruuning Kerberos 1.6.3 o our KDC, but for afs2k5db seems only
> > compatible with 1.2.x series I've used 1.2.7 from MIT Website (so th=
is
> > is MIT Kerberos :)
> >=20
> > I had afs-krb5.tar package from Grand Central AFS cell
> > (/afs/grand.central.org/software/afs-krb5/) and I've compiled it acc=
ross
> > MIT kerberos 1.2.7 and OpenAFS 1.4.10.
> >=20
> > After modifying manually the Makefile compilation succeed for afs2k5=
db
> > (the unique tool i'm interested in from afs-krb5 archive) ( See
> > attachement for my modified Makefile )
> >=20
> > First surprise, afs2k5db is not linked with any of my kerberos 5
> > library ::
> > ldd afs2k5db
> > libresolv.so.2 =3D> /lib/libresolv.so.2
> > libsocket.so.1 =3D> /lib/libsocket.so.1
> > libnsl.so.1 =3D> /lib/libnsl.so.1
> > libc.so.1 =3D> /lib/libc.so.1
> > libmp.so.2 =3D> /lib/libmp.so.2
> > libmd.so.1 =3D> /lib/libmd.so.1
> > libscf.so.1 =3D> /lib/libscf.so.1
> > libdoor.so.1 =3D> /lib/libdoor.so.1
> > libuutil.so.1 =3D> /lib/libuutil.so.1
> > libgen.so.1 =3D> /lib/libgen.so.1
> > libm.so.2 =3D> /lib/libm.so.2
> >=20
> > So, maybe Kerberos5 code is statically linked into my binary (but i"=
m
> > doubtfull, no -static is present in Makefile)
> >=20
> > I could use afs2k5db to dump my kaserver.DB0 ::
> > afs2k5db /PATH/TO/kaserver.DB0 > kaserver.out
> >=20
> > I've deleted AuthServer/Admin, afs key, and ktgt lines manually.
> >=20
> > I could import it successfully into my Kerberos 5 db with ::
> > kdb5_util load -update -verbose kaserver.out
> > [account listing]
> >=20
> > I could do a getprinc on any of my old AFS credentials ::
> > kadmin.local -q "getprinc rferrand"
> > Authenticating as principal root/admin@TEST.IN2P3.FR with password.
> > Principal: rferrand@TEST.IN2P3.FR
> > Expiration date: Thu Dec 31 01:00:00 MET 2037
> > Last password change: [never]
> > Password expiration date: [none]
> > Maximum ticket life: -24670 days -1:-8:-16
> > Maximum renewable life: 7 days 00:00:00
> > Last modified: Fri Jul 10 10:25:23 MEST 2009 (rferrand@TEST.IN2P3.FR=
)
> > Last successful authentication: [never]
> > Last failed authentication: [never]
> > Failed password attempts: 0
> > Number of keys: 1
> > Key: vno 0, DES cbc mode with CRC-32, AFS version 3
> > Attributes:
> > Policy: [none]
> >=20
> > ( Max ticket life time is bogus, but not the problem here )
> >=20
> > But I can't use my accounts for passwords seem badly importated from
> > kasDB ::
> >=20
> > kinit rferrand
> > Password for rferrand@TEST.IN2P3.FR:=20
> > kinit(v5): Password incorrect while getting initial credentials
> >=20
> > A capture with wireshark doesn't show any error (before I had
> > DECRYPT_INTEGRITY error, but not now anymore), krbtgt/CELL_NAME is s=
ent
> > to my client, but nothing appear with a "klist"
> >=20
> > My KDCs logs don't show anything unusual ::
> > Jul 10 13:59:17 cckrb01.in2p3.fr krb5kdc[17374](info): AS_REQ (7 ety=
pes
> > {18 17 16 23 1 3 2}) 134.158.71.107(88): ISSUE: authtime 1247227157,
> > etypes {rep=3D1 tkt=3D16 ses=3D16}, rferrand@TEST.IN2P3.FR for
> > krbtgt/TEST.IN2P3.FR@TEST.IN2P3.FR
> >=20
> > My krbtgt/TEST.IN2P3.FR principal is as this ::
> > root@cckrb01:/usr/local/krb5/var/krb5$ kadmin.local -q "getprinc
> > krbtgt/TEST.IN2P3.FR"
> > Authenticating as principal root/admin@TEST.IN2P3.FR with password.
> > Principal: krbtgt/TEST.IN2P3.FR@TEST.IN2P3.FR
> > [...]
> > Number of keys: 2
> > Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
> > Key: vno 1, DES cbc mode with CRC-32, no salt
> > Attributes:
> > Policy: [none]
> >=20
> > And my Master Key for Kerberos V DB is ::
> > root@cckrb01:/usr/local/krb5/var/krb5$ kadmin.local -q "getprinc
> > K/M@TEST.IN2P3.FR"
> > Authenticating as principal root/admin@TEST.IN2P3.FR with password.
> > Principal: K/M@TEST.IN2P3.FR
> > [...]
> > Failed password attempts: 0
> > Number of keys: 1
> > Key: vno 1, DES cbc mode with CRC-32, no salt
> > Attributes: DISALLOW_ALL_TIX
> > Policy: [none]
> >=20
> > Simple DES is used...
> >=20
> > My kdc.conf file ::
> > root@cckrb01:/usr/local/krb5/var/krb5$ cat /etc/krb5/kdc.conf
> > [kdcdefaults]
> > kdc_ports =3D 750,88
> > v4_mode =3D disable
> >=20
> > [realms]
> > TEST.IN2P3.FR =3D {
> > master_key_type =3D des-cbc-crc
> > supported_enctypes =3D aes256-cts:normal
> > des3-cbc-sha1:normal des3-hmac-sha1:normal des-cbc-crc:v4
> > des-cbc-crc:afs3 des-cbc-crc:normal
> >=20
> > database_name =3D /usr/local/krb5/var/krb5kdc/princi=
pal
> > admin_keytab =3D
> > FILE:/usr/local/krb5/var/krb5kdc/kadm5.keytab
> > acl_file =3D /etc/krb5/kadm5.acl
> > key_stash_file
> > =3D /usr/local/krb5/var/krb5kdc/.k5.TEST.IN2P3.FR
> > kdc_ports =3D 750,88
> > max_life =3D 10h 0m 0s
> > max_renewable_life =3D 7d 0h 0m 0s
> > }
> >=20
> > Everything is working, but the migration of users from kasDB to Krb5=
DB.
> >=20
> > If anybody has any idea ...
> >=20
> > Thanks
> > R=C3=A9mi
> >=20
> >=20
> > --=20
> > Remi Ferrand | Institut National de Physique Nucleaire
> > Tel. +33(0)4.78.93.08.80 | et de Physique des Particules
> > Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/
> >=20
> > [...]
> >=20
> >=20
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> >=20
>
> =20