[OpenAFS] Heimdal & OpenAFS 1.7.4: Difficult user experience

Jeffrey Altman jaltman@your-file-system.com
Fri, 27 Jan 2012 11:35:30 -0500

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 1/26/2012 2:26 PM, John Tang Boyland wrote:
> I had several students dutifully download OpenAFS 1.7.4 and Heimdal KfW=

> (as recommended) and then NetworkIdentityManager v2 (three separate
> downloads and installs) only to have NIM say that it can't get AFS
> tokens.

Currently shipping versions of OpenAFS do not have native support for
Heimdal.  They access Heimdal via the MIT KFW compatibility APIs which
do not provide the ability to enable weak crypto for a single ticket
request.  All of the code has been written and sitting on 'master' but
until I am satisfied with the performance and reliability of the afs
redirector in 1.7.x I will not be spending the time to pull it up.

Once the native Heimdal support is added to 1.7.x the allow_weak_crypto
configuration will not be required.

The reason that there are three separate installers is that each product
is independent.  They each have a separate development road map and
development teams.

> After a lot of searching (searching C:\ takes a LONG time!), I found
> krb5.conf in C:\ProgramData\Kerberos but being a system file, it
> couldn't be edited. =20

It is not a system file.  It is however a configuration file that cannot
be edited without Administrator privileges.  This is true for all of
\ProgramData and \Program Files and is not specific to Heimdal.

Run notepad.exe as Administrator.

> Finally with one student, he was able to make it so
> we could save our changes, but then NIM didn't work at ALL (and "kinit"=

> in the command window gave error 22: couldn't initialize the context).
> Even removing allow_weak_crypto again still didn't solve the problem so=

> we removed the file and reinstalled, this time with MIT KfW (64 bit fro=
> secure endpoints, thanks) which doesn't have the disallow-AFS-by-defaul=
> "feature".

The reason that Heimdal is preferred over MIT KFW is that on Win7, MIT
KFW can result in very random behavior and can crash applications it is
loaded into (including the winlogin.exe service which if it crashes will
cause the machine to BSOD.

Choose your poison.

> With the next student, we edited the file, saved it under
> a different name, and then used an administrator shell to=20
> rename the files.  Then with NIM restarted everything worked.
> Questions:
> (1) Is it really true that OpenAFS tells people to download software
>     that doesn't work without manually fiddling with configuration
>     files?  Or did I do something wrong with the install?


> (2) Instead, could we have the Heimdal installer default
>     "allow_weak_crypto =3D true" ?

Even if the Heimdal project would permit it, this is not the place to
ask for it.  Although I can tell you the answer will be 'no'.

> (3) If we're stuck with (1) and can't do (2), would anyone like me to
>     write up the installation sequence required on the Wiki?  And maybe=

>     the download page could point to it so poor lusers could find it?
>     And maybe for MacOSX too, with also requires
>     a manual fiddling with /etc/krb5.conf after installation.

You mean update






to match current releases?   That would be much appreciated.

> (4) Is there a plan to finally wean AFS servers off des-cbc-crc ?




Where we are at is that Your File System Inc has a fully operational
implementation but until such time as consensus is reached that the
drafts above require no additional protocol changes OpenAFS cannot
accept the code.

Anyone that wants to help should read the Internet Drafts and provide
comments on the afs3-standardization@openafs.org mailing list.

Jeffrey Altman

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.9 (MingW32)