[OpenAFS] Migration from kaserver DB to Kerberos 5 DB with afs2k5db

Remi Ferrand remi.ferrand@cc.in2p3.fr
Mon, 13 Jul 2009 20:33:07 +0200


Hye everybody,

First of all, thanks for your answers ;-)

After modifying just few lines of the migration kit, I finally got what=20
I wanted :
- a migration kit compiled with MIT Kerberos 1.6.3 release
- OpenAFS 1.4.10
- a working executable (compilation works, but everything else also !!)

Before giving you my few modifications, I need you little explanation :
- MIT Kerberos 1.6.3 / OpenAFS 1.4.10
- Migration kit sources obtained from=20
/afs/grand.central.org/software/afs-krb5/
- Operating system is Solaris 10 (also tested on Debian which is my=20
development platform)
- MIT Kerberos 1.6.3 is installed in /usr/local/krb5
- MIT Kerberos sources are in /root/krb_src/krb5-1.6.3
- OpenAFS 1.4.10 build (obtained with the "make test" target) is in=20
/root/openafs_src/openafs-1.4.10/sunx86_510

My patch is as simple as this ::

[patch_ccin2p3]

--- afs2k5db.c.orig     Sat Jul 11 18:46:01 2009
+++ afs2k5db.c  Mon Jul 13 11:20:40 2009
@@ -29,10 +29,10 @@
 #endif
 #include <errno.h>
=20
+#include <k5-int.h>
 #include <krb5.h>
 #include <com_err.h>
=20
-#include <k5-int.h>
 #include <adm.h>
 #include <adm_proto.h>
=20
@@ -207,8 +207,7 @@
         * This is way more complicated than it needs to be!  Argh.
         */
=20
-       if ((retval =3D krb5_read_realm_params(convert_context, NULL,
-                                             NULL, NULL, &rparams))) {
+       if ((retval =3D krb5_read_realm_params(convert_context, NULL,=20
&rparams))) {
                com_err(argv[0], retval, "While reading realm parameters"=
);
                exit(1);
        }

--- k5dbsubs.c.orig     Mon Jul 13 11:53:44 2009
+++ k5dbsubs.c  Sat Jul 11 18:58:46 2009
@@ -26,10 +26,11 @@
 #endif
 #include <errno.h>
=20
+#include <k5-int.h>
 #include <krb5.h>
 #include <com_err.h>
=20
-#include <k5-int.h>
+#include <kdb.h>
=20
 #include <afs/kauth.h>
=20
@@ -48,6 +49,8 @@
  * Output one record in the format used by the database dump file
  */
=20
+krb5_key_data *key_data;
+
 void
 db_entry_output(FILE *f, krb5_context convert_context, char *user,
                char *instance, char *realm, int kvno,

--- configure.orig      Mon Mar 17 01:49:24 2003
+++ configure   Mon Jul 13 12:07:03 2009
@@ -2327,9 +2327,9 @@
 echo "$as_me:$LINENO: result: Setting KADM_LIBS to $krb5_libs_kadm" >&5
 echo "${ECHO_T}Setting KADM_LIBS to $krb5_libs_kadm" >&6
 CFLAGS=3D"$CFLAGS $krb5_cflags"
-LIBS=3D"$LIBS $krb5_libs"
+LIBS=3D"$LIBS $krb5_libs -lkrb5support"
 KADM_CFLAGS=3D"$krb5_cflags_kadm"
-KADM_LIBS=3D"$krb5_libs_kadm"
+KADM_LIBS=3D"$krb5_libs_kadm -lkrb5support"
=20
 echo "$as_me:$LINENO: checking for socket" >&5
 echo $ECHO_N "checking for socket... $ECHO_C" >&6

@@ -48,6 +49,8 @@
  * Output one record in the format used by the database dump file
  */

+krb5_key_data *key_data;
+
 void
 db_entry_output(FILE *f, krb5_context convert_context, char *user,
                char *instance, char *realm, int kvno,

--- configure.orig      Mon Mar 17 01:49:24 2003
+++ configure   Mon Jul 13 12:07:03 2009
@@ -2327,9 +2327,9 @@
 echo "$as_me:$LINENO: result: Setting KADM_LIBS to $krb5_libs_kadm" >&5
 echo "${ECHO_T}Setting KADM_LIBS to $krb5_libs_kadm" >&6
 CFLAGS=3D"$CFLAGS $krb5_cflags"
-LIBS=3D"$LIBS $krb5_libs"
+LIBS=3D"$LIBS $krb5_libs -lkrb5support"
 KADM_CFLAGS=3D"$krb5_cflags_kadm"
-KADM_LIBS=3D"$krb5_libs_kadm"
+KADM_LIBS=3D"$krb5_libs_kadm -lkrb5support"

 echo "$as_me:$LINENO: checking for socket" >&5
 echo $ECHO_N "checking for socket... $ECHO_C" >&6


Remark :

1. As you can see, "configure" script as been directly modified. This is=20
not very recommended, but my production machine doesn't have autoconf ...
2. On my Debian O.S adding flag for libkrb5support.so, and so modifying=20
configure script isn't needed, but Solaris complains about this so I had=20
to add it explicitly.
3. This "patch" if we can say it, hasn't been created to be "perfect"=20
and a final version, but just to make the whole thing working and for=20
me, it did the trick.


[ Compilation steps ]
cd ${PATH_TO_AFS-KRB5-MIGRATION-KIT}/src
export CFLAGS=3D"-I/root/krb_src/krb5-1.6.3/src/include=20
-I/root/openafs_src/openafs-1.4.10/sunx86_510/dest/include"
./configure --with-krb5-config=3D/usr/local/krb5/bin/krb5-config
make


At this step, make will fail on asetkey binary, but whatever, asetkey in=20
now part of the OpenAFS source code, and our "afs2krb5" binary has been=20
build without any error.

I wanted to check that my binary was linked to any Kerberos 5 library=20
(it MUST be linked to any), for last time compilation succeeds but my=20
binary was bogus and not linked to any Krb5 library.

[ldd afs2k5db]
        libkadm5srv.so.5 =3D>      /usr/local/krb5-1.6.3/lib/libkadm5srv.=
so.5
        libkdb5.so.4 =3D>  /usr/local/krb5-1.6.3/lib/libkdb5.so.4
        libgssrpc.so.4 =3D>        /usr/local/krb5-1.6.3/lib/libgssrpc.so=
.4
        libgssapi_krb5.so.2 =3D>  =20
/usr/local/krb5-1.6.3/lib/libgssapi_krb5.so.2
        libkrb5.so.3 =3D>  /usr/local/krb5-1.6.3/lib/libkrb5.so.3
        libk5crypto.so.3 =3D>      /usr/local/krb5-1.6.3/lib/libk5crypto.=
so.3
        libcom_err.so.3 =3D>       /usr/local/krb5-1.6.3/lib/libcom_err.s=
o.3
        libresolv.so.2 =3D>        /lib/libresolv.so.2
        libsocket.so.1 =3D>        /lib/libsocket.so.1
        libnsl.so.1 =3D>   /lib/libnsl.so.1
        libkrb5support.so.0 =3D>  =20
/usr/local/krb5-1.6.3/lib/libkrb5support.so.0
        libc.so.1 =3D>     /lib/libc.so.1
        libmp.so.2 =3D>    /lib/libmp.so.2
        libmd.so.1 =3D>    /lib/libmd.so.1
        libscf.so.1 =3D>   /lib/libscf.so.1
        libdoor.so.1 =3D>  /lib/libdoor.so.1
        libuutil.so.1 =3D>         /lib/libuutil.so.1
        libgen.so.1 =3D>   /lib/libgen.so.1
        libm.so.2 =3D>     /lib/libm.so.2

Ok, everything seems good.

It seems ok to me, now I hope that it could help anybody who encounter=20
trouble with his AFS/Kerberos 5 migration ;-)

Thanks again for those who took some time to answer me

Cheers


Remi Ferrand             | Institut National de Physique Nucleaire
Tel. +33(0)4.78.93.08.80 |     et de Physique des Particules
Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/





rader@hep.wisc.edu a =E9crit :
> Try building afs2k5db like below.  If that works for ya, then
> mention it to the list.  If that doesn't work for ya, then try
> following these directions exactly:
>
>  http://cf.ccmr.cornell.edu/publicdownloads/afs/ReadMe-to_krb5.html
>
> steve
> --
>
> ** notes from building afs2k5db on SL/RHEL44 **
>
> ## install openafs (1.4.7) headers...
> sudo yum install openafs-devel
>
> ## build krb5 in /usr/local/src/krb5-1.3.6
> untar
> ./configure --without-tcl
> make
> cp ./util/et/com_err.h include # cruft, not necessary?
> cp ./include/krb5/stock/osconf.h include # cruft, not necessary?
>
>
> ## make afs2k5db in /usr/local/src/afs-krb5
> untar
> ./configure --with-krb5-src=3D/usr/local/src/krb5-1.3.6/src \
>   --with-krb5-config=3D/usr/local/src/krb5-1.3.6/src/krb5-config \
>   CFLAGS=3D"-m32 -L/usr/local/src/krb5-1.3.6/src/lib" \
>   LDFLAGS=3D"-m32 -L/usr/local/src/krb5-1.3.6/src/lib"
> cd /usr/local/src/krb5-1.3.6/src/include
> vi k5-int.h
> #if 0 #endif around struct _krb5_rc_ops { }
> make afs2k5db
> sudo cp afs2k5db /usr/sbin/afs2k5db
>
>
> (use aklog and asetkey from modern openafs build)
>
>
>  > ---- Original Message ----
>  > From: Remi Ferrand <remi.ferrand@cc.in2p3.fr>
>  > Hye
>  >=20
>  > I'm trying to convert a kaserver.DB into Kerberos DB with afs2k5db
>  > utility.
>  > We're ruuning Kerberos 1.6.3 o our KDC, but for afs2k5db seems only
>  > compatible with 1.2.x series I've used 1.2.7 from MIT Website (so th=
is
>  > is MIT Kerberos :)
>  >=20
>  > I had afs-krb5.tar package from Grand Central AFS cell
>  > (/afs/grand.central.org/software/afs-krb5/) and I've compiled it acc=
ross
>  > MIT kerberos 1.2.7 and OpenAFS 1.4.10.
>  >=20
>  > After modifying manually the Makefile compilation succeed for afs2k5=
db
>  > (the unique tool i'm interested in from afs-krb5 archive) ( See
>  > attachement for my modified Makefile )
>  >=20
>  > First surprise, afs2k5db is not linked with any of my kerberos 5
>  > library ::
>  > ldd afs2k5db
>  >         libresolv.so.2 =3D>        /lib/libresolv.so.2
>  >         libsocket.so.1 =3D>        /lib/libsocket.so.1
>  >         libnsl.so.1 =3D>   /lib/libnsl.so.1
>  >         libc.so.1 =3D>     /lib/libc.so.1
>  >         libmp.so.2 =3D>    /lib/libmp.so.2
>  >         libmd.so.1 =3D>    /lib/libmd.so.1
>  >         libscf.so.1 =3D>   /lib/libscf.so.1
>  >         libdoor.so.1 =3D>  /lib/libdoor.so.1
>  >         libuutil.so.1 =3D>         /lib/libuutil.so.1
>  >         libgen.so.1 =3D>   /lib/libgen.so.1
>  >         libm.so.2 =3D>     /lib/libm.so.2
>  >=20
>  > So, maybe Kerberos5 code is statically linked into my binary (but i"=
m
>  > doubtfull, no -static is present in Makefile)
>  >=20
>  > I could use afs2k5db to dump my kaserver.DB0 ::
>  > afs2k5db /PATH/TO/kaserver.DB0 > kaserver.out
>  >=20
>  > I've deleted AuthServer/Admin, afs key, and ktgt lines manually.
>  >=20
>  > I could import it successfully into my Kerberos 5 db with ::
>  > kdb5_util load -update -verbose kaserver.out
>  > [account listing]
>  >=20
>  > I could do a getprinc on any of my old AFS credentials ::
>  > kadmin.local -q "getprinc rferrand"
>  > Authenticating as principal root/admin@TEST.IN2P3.FR with password.
>  > Principal: rferrand@TEST.IN2P3.FR
>  > Expiration date: Thu Dec 31 01:00:00 MET 2037
>  > Last password change: [never]
>  > Password expiration date: [none]
>  > Maximum ticket life: -24670 days -1:-8:-16
>  > Maximum renewable life: 7 days 00:00:00
>  > Last modified: Fri Jul 10 10:25:23 MEST 2009 (rferrand@TEST.IN2P3.FR=
)
>  > Last successful authentication: [never]
>  > Last failed authentication: [never]
>  > Failed password attempts: 0
>  > Number of keys: 1
>  > Key: vno 0, DES cbc mode with CRC-32, AFS version 3
>  > Attributes:
>  > Policy: [none]
>  >=20
>  > ( Max ticket life time is bogus, but not the problem here )
>  >=20
>  > But I can't use my accounts for passwords seem badly importated from
>  > kasDB ::
>  >=20
>  >  kinit rferrand
>  > Password for rferrand@TEST.IN2P3.FR:=20
>  > kinit(v5): Password incorrect while getting initial credentials
>  >=20
>  > A capture with wireshark doesn't show any error (before I had
>  > DECRYPT_INTEGRITY error, but not now anymore), krbtgt/CELL_NAME is s=
ent
>  > to my client, but nothing appear with a "klist"
>  >=20
>  > My KDCs logs don't show anything unusual ::
>  > Jul 10 13:59:17 cckrb01.in2p3.fr krb5kdc[17374](info): AS_REQ (7 ety=
pes
>  > {18 17 16 23 1 3 2}) 134.158.71.107(88): ISSUE: authtime 1247227157,
>  > etypes {rep=3D1 tkt=3D16 ses=3D16}, rferrand@TEST.IN2P3.FR for
>  > krbtgt/TEST.IN2P3.FR@TEST.IN2P3.FR
>  >=20
>  > My krbtgt/TEST.IN2P3.FR principal is as this ::
>  > root@cckrb01:/usr/local/krb5/var/krb5$ kadmin.local -q "getprinc
>  > krbtgt/TEST.IN2P3.FR"
>  > Authenticating as principal root/admin@TEST.IN2P3.FR with password.
>  > Principal: krbtgt/TEST.IN2P3.FR@TEST.IN2P3.FR
>  > [...]
>  > Number of keys: 2
>  > Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
>  > Key: vno 1, DES cbc mode with CRC-32, no salt
>  > Attributes:
>  > Policy: [none]
>  >=20
>  > And my Master Key for Kerberos V DB is ::
>  > root@cckrb01:/usr/local/krb5/var/krb5$ kadmin.local -q "getprinc
>  > K/M@TEST.IN2P3.FR"
>  > Authenticating as principal root/admin@TEST.IN2P3.FR with password.
>  > Principal: K/M@TEST.IN2P3.FR
>  > [...]
>  > Failed password attempts: 0
>  > Number of keys: 1
>  > Key: vno 1, DES cbc mode with CRC-32, no salt
>  > Attributes: DISALLOW_ALL_TIX
>  > Policy: [none]
>  >=20
>  > Simple DES is used...
>  >=20
>  > My kdc.conf file ::
>  > root@cckrb01:/usr/local/krb5/var/krb5$ cat /etc/krb5/kdc.conf
>  > [kdcdefaults]
>  >         kdc_ports =3D 750,88
>  >         v4_mode =3D disable
>  >=20
>  > [realms]
>  >         TEST.IN2P3.FR =3D {
>  >                 master_key_type =3D des-cbc-crc
>  >                 supported_enctypes =3D aes256-cts:normal
>  > des3-cbc-sha1:normal des3-hmac-sha1:normal des-cbc-crc:v4
>  > des-cbc-crc:afs3 des-cbc-crc:normal
>  >=20
>  >                 database_name =3D /usr/local/krb5/var/krb5kdc/princi=
pal
>  >                 admin_keytab =3D
>  > FILE:/usr/local/krb5/var/krb5kdc/kadm5.keytab
>  >                 acl_file =3D /etc/krb5/kadm5.acl
>  >                 key_stash_file
>  > =3D /usr/local/krb5/var/krb5kdc/.k5.TEST.IN2P3.FR
>  >                 kdc_ports =3D 750,88
>  >                 max_life =3D 10h 0m 0s
>  >                 max_renewable_life =3D 7d 0h 0m 0s
>  >         }
>  >=20
>  > Everything is working, but the migration of users from kasDB to Krb5=
DB.
>  >=20
>  > If anybody has any idea ...
>  >=20
>  > Thanks
>  > R=C3=A9mi
>  >=20
>  >=20
>  > --=20
>  > Remi Ferrand             | Institut National de Physique Nucleaire
>  > Tel. +33(0)4.78.93.08.80 |     et de Physique des Particules
>  > Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/
>  >=20
>  > [...]
>  >=20
>  >=20
>  > _______________________________________________
>  > OpenAFS-info mailing list
>  > OpenAFS-info@openafs.org
>  > https://lists.openafs.org/mailman/listinfo/openafs-info
>  >=20
>
>  =20