Re: [OpenAFS] Migration from kaserver to krb5.
Jeffrey Altman wrote: k5-int.h and adm.h are MIT Kerberos 5 header files. You won't find them in OpenAFS. Yep. Thanks for that. I'm wondering why there're not included in, FC5 krb5-devel-1.4.3-4.1.i386.rpm. This is a question for the krb5 packager, I must say. O Plameras ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Migration from kaserver to krb5.
Christopher Allen Wing wrote: Hello, On Tue, 11 Apr 2006, O Plameras wrote: I have running servers with OpenAFS-1.4.1 on FC5 using kaserver. I have used clients running OpenAFS on FC4/Win2000 and OpenAFS-1.4.1rc10 on FC5. This setup is working without any problem so far. Do you have any actual users in your AFS cell yet? Or did you just set it up with kaserver for testing purposes? If you don't yet have any user accounts / passwords, it's probably easiest not to bother with the kaserver conversion, but instead, just create new principals in the k5 database and reset the afs key. I have only half-dozen users. Yes, I created new principals in the k5 DB and reset afs key. I want to convert from kaserver to krb5. I installed and tested krb5-1.4.3 KDC. This works. Then I did these. [EMAIL PROTECTED] admin/admin [EMAIL PROTECTED] example.com.ex -k EXAMPLE.COM.EX [EMAIL PROTECTED] Tokens held by the Cache Manager: User's (AFS ID 1) tokens for [EMAIL PROTECTED] [Expires Apr 11 22:04] --End of list-- Did you create a new 'afs' principal in the K5 database? Yes, I did. This is how I did it. #kadmin.local -e des-cbc-crc:v4 < It is my understanding that I need to run afs2k5db on kaserver.DBO and use the output to update krb5 keys. You only need to do this if you have users and passwords which you care about preserving. Otherwise, it's probably simpler to recreate the principals in the K5 database, and create a new 'afs/[EMAIL PROTECTED]' key. OK, I got this. I am able to create principals in K5 to aklog successfully. The problem after this is I can't do AFS maintenance commands like #vos listvol , etc. I have about 500Gbytes and for this reason I can't reset my DB. My problem is I can't compile afs2k5db. You need to have the source code tree to the version of Kerberos which you are running. This can be a pain. Yes, I have the source code tree and attempted to recompile. As I mentioned earlier the error is due to missing files, like k5-int.h, adm.h. Did you compile krb5 yourself, or are you using the stuff from FC5? If the former is the case, no problem. If the latter is the case, you will need to download the FC5 source RPM for kerberos, and do something like: create a temporary RPM root to build RPMs rpm -ivh krb5-1.4.x.src.rpm cd /SPECS rpmbuild -ba krb5.spec Yep, I've done this. Then you will have an expanded source tree in /BUILD which you can use to compile the afs-krb5 stuff. Note that you have to actually perform the build in the krb5 directory, because some of the files used by afs-krb5 require an actually built krb5. (you can't just download the Kerberos source code and untar it) Then download the afs-krb5 tar file. It won't build properly against recent OpenAFS and Kerberos so you will need some patches. I have not yet built afs-krb5 against krb5-1.4.x, so I don't know what changes are necessary. However, here are the patches that I used to build afs-krb5 against krb5-1.3.x and openafs-1.4.x: http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.4.1-rc2/SOURCES/ afs-krb5-2.0-umich.patch afs-krb5-2.0-kfdump.patch afs-krb5-2.0-krb524.patch afs-krb5-2.0-k5private.patch afs-krb5-2.0-libsocket.patch afs-krb5-2.0-warnings.patch afs-krb5-2.0-betterka2dump.patch afs-krb5-2.0-res_search.patch afs-krb5-2.0-com_err.patch afs-krb5-2.0-openafs1.3.patch afs-krb5-2.0-noaklog.patch I did not have these files. Thanks, for pointing to these files. I'll incorporate these and see what's going to be the outcome. Download the patches and apply them in that order to the afs-krb5 source code. You need to have the header files and libraries that come with OpenAFS for development purposes. (probably in the openafs-devel RPM) You then need to build it as follows: cd autoreconf ./configure -prefix=/usr --with-krb5=/usr/kerberos \ --with-afs=/usr --with-umich OK, I'll do. # where is the RPM root where you built the krb5 stuff # (make sure that /BUILD/krb5-1.4.x/include is actually the # correct path to the include files, etc.) make EXTRA_INC="-I/BUILD/krb5-1.4.x/include -I/usr/include/et" I'll do. That probably assumes that you are using a 32-bit OS, because it will look for the AFS libraries in /usr/lib not /usr/lib64. If you are using a 64-bit OS, you will need to do something different with --with-afs. I have a 32-bit. I use something similar to the above to build it on RHEL4, however I always build afs-krb5 along with the rest of OpenAFS, so I have access to the OpenAFS source code tree. If you build OpenAFS yourself (from RPM), then you can do: ./configure -prefix=/usr --with-krb5=/usr/kerberos \ --with-afs=/BUILD/xxx//dest --with-
[OpenAFS] Migration from kaserver to krb5.
Hi, I have running servers with OpenAFS-1.4.1 on FC5 using kaserver. I have used clients running OpenAFS on FC4/Win2000 and OpenAFS-1.4.1rc10 on FC5. This setup is working without any problem so far. I want to convert from kaserver to krb5. I installed and tested krb5-1.4.3 KDC. This works. Then I did these. [EMAIL PROTECTED] admin/admin [EMAIL PROTECTED] example.com.ex -k EXAMPLE.COM.EX [EMAIL PROTECTED] Tokens held by the Cache Manager: User's (AFS ID 1) tokens for [EMAIL PROTECTED] [Expires Apr 11 22:04] --End of list-- [EMAIL PROTECTED] vos listvol otr.example.com.ex Could not fetch the list of partitions from the server rxk: security object was passed a bad ticket Error in vos listvol command. rxk: security object was passed a bad ticket It is my understanding that I need to run afs2k5db on kaserver.DBO and use the output to update krb5 keys. My problem is I can't compile afs2k5db. I tried to compile using openafs-1.4.1rc10-1.1.src.rpm with these changes in openafs.spec. [EMAIL PROTECTED] SPECS]$ diff -u openafs.spec.orig openafs.spec --- openafs.spec.orig 2006-04-02 08:49:12.0 +1000 +++ openafs.spec2006-04-11 08:19:59.0 +1000 +++ openafs.spec2006-04-11 08:19:59.0 +1000 @@ -745,8 +745,8 @@ --bindir=%{_bindir} \ --sbindir=%{_sbindir} \ --with-afs=`pwd`/../../${sysname}/dest/ && \ - make all PROGS="asetkey ka-forwarder" && \ - install -c -s asetkey ka-forwarder `pwd`/../../${sysname}/dest/etc ) \ + make all PROGS="asetkey ka-forwarder afs2k5db" && \ + install -c -s asetkey ka-forwarder afs2k5db `pwd`/../../${sysname}/dest/etc ) \ || exit 1 %endif I got these errors. gcc -c -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -I/usr/src/redhat/BUILD/openafs-1.4.1-rc10/afs-krb5/src/../../i386_linux26/dest//include -DPACKAGE_NAME=\"afs-krb5\" -DPACKAGE_TARNAME=\"afs-krb5\" -DPACKAGE_VERSION=\"1.4\" -DPACKAGE_STRING=\"afs-krb5\ 1.4\" -DPACKAGE_BUGREPORT=\"[EMAIL PROTECTED]" -DAFS=1 -DAFS_INT32=1 -DAFS_TRY_FULL_PRINC=1 -DHAVE_DAEMON=1 -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_UNISTD_H=1 -DHAVE_STDLIB_H=1 -DHAVE_MEMORY_H=1 -DHAVE_PATHS_H=1 -DHAVE_MALLOC_H=1 -DHAVE_STRERROR=1 -DRETSIGTYPE=void -DALLOW_REGISTER afs2k5db.c afs2k5db.c:33:21: error: com_err.h: No such file or directory afs2k5db.c:35:20: error: k5-int.h: No such file or directory afs2k5db.c:36:17: error: adm.h: No such file or directory afs2k5db.c:37:23: error: adm_proto.h: No such file or directory afs2k5db.c:128: error: expected declaration specifiers or '...' before 'krb5_key_data' afs2k5db.c: In function 'main': afs2k5db.c:134: error: 'krb5_realm_params' undeclared (first use in this function) Where am I doing wrong ? Thanks for any help. O Plameras ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] Re: Kerberos 5 in OpenAFS
Franco "Sensei" wrote: [EMAIL PROTECTED] wrote: OK I understand, but I don't have to worry about users and passwords and user directories. Because this is a testproject. What I think i shoot do is get the migration tools: asetkey and aklog. Create an afs entry in Kerberos and so on ... But I cant find these migration tools for gentoo. Is there someone who knows where to find them?? You can grab them from debian's repository and recompile them. Make sure you modify the make files, because libraries have changed since woody versions. This is where I got a copy: ftp://ftp.cmf.nrl.navy.mil/pub/kerberos5/afs-krb5-2.0.tar.gz ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] fs: You don't have the required access rights on /afs
Sensei wrote: On Fri, 2004-08-13 at 13:17, O Plameras wrote: fs: You don't have the required access rights on '/afs'. What's the output of pts membership ? #pts membership admin -cell noy.com.au pts: security object was passed a bad ticket so couldn't look up names #klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting.. Expires Service principal 999 999 krbtgt/[EMAIL PROTECTED] 99999 [EMAIL PROTECTED] Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached ___ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] fs: You don't have the required access rights on /afs
Hi, New to AFS and this list. Tried to install many times following the AFS Quick Start Guide for Unix and http://www.arayan.com/da/yazi/OpenAFS_Kerberos_5.html. I followed the howto instructions sequentially. Every time I get to using the command: #kinit admin #aklog ... ... #fs setacl /afs system:anyuser rl this error comes up: fs: You don't have the required access rights on '/afs'. I thought I have given 'admin' access rights, but obviously not. How do I give 'admin' access rights ? I am using Fedora Core 1 and MIT Kerberos 5. Thanks. O Plameras ___ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info