[OpenAFS] OpenAFS Project List

Kevin Rowland krowland@nd.edu
Wed, 14 Mar 2001 18:35:01 -0500

Stephen Joyce wrote:
> the newest revision of kerberos 5 that it will work with is  v1.0.6, which

FWIW, I created a quick patch for the afs-krb5-1.3 migration kit that
allows it to build and run against MIT K5-1.2.x distribution (I'm sure
others have as well). Here's what I found:

- configure.in:   crypto library name change

- Makefile.in:    had to add the krb5 and k5crypto libs to
                  the end of FAKEKA_LIBS

- krb_util.c:     krb5_xfree() macro no longer in krb5.h

- afs2k5db.c:     replace &master_eblock with master_kblock.enctype
                  in krb5_db_fetch_mkey() call

- afs2k5db.c:     replace &master_eblock with &master_kblock
                  in krb5_dbekd_encrypt_key_data() call

- keyfile_dump.c: replace &master_eblock with master_kblock.enctype
                  in krb5_db_fetch_mkey() call

- keyfile_dump.c: replace &master_eblock with &master_kblock
                  in krb5_dbekd_encrypt_key_data() call

fakeka caused some warnings but I traced them back to a prototype
definition in the 1.2.x code that didn't change the underlying parameter
types (u_char *) so deemed it harmless...

I just modified the .in files with the correct crypto libraries and
rebuilt configure, but perhaps the better way would be to make configure
check for either 'libcrypto' or 'libk5crypto' and act accordingly...

We have tested afs2k5db and keyfile_dump with these simple mods and they
seem to work fine. We have also found that fakeka and ka-forwarder works
as-is with 1.2.x dist.

I was going to allow a little more "test-time" to flow before bothering
Ken with these details, but I would be glad to share the patch with any
who might want it.

-- kevin

| Kevin Rowland                          Phone:   (219)631-4745     |
| Sr. Systems Engineer                   Email: krowland@nd.edu     |
| Office of Information Technology       G208 Hesburgh Library      |
| University of Notre Dame               Notre Dame, IN   46556     |

Stephen Joyce wrote:
> On Tue, 13 Mar 2001, Derrick J Brashear wrote:
> > Some corrections to this table
> >
> > On Tue, 13 Mar 2001, Laura Stentz wrote:
> >
> > > |------------------+--------------+---------------+----------------------|
> > > | Project          | Status       | Priority      | Contact Points       |
> > > | Description      |              |               |                      |
> > > |------------------+--------------+---------------+----------------------|
> > > | Kerberos v. 5    | In progress  | N/A           | Ken Hornstein, Doug  |
> > > |                  |              |               | Englert              |
> >
> > This doesn't really refer to a project; There's no "progress" to be made.
> > Doug and Ken have made available tools to enable the use of AFS in a
> > Kerberos 5 environment, in preference to the use of the kaserver.
> While it is true that these tools exist, I would not agree that there's no
> progree to be made!  The afs-krb5 migration kit is quite handy (we've
> been using it for several years now--thanks Ken and Doug!) it does have
> shortcomings.  It isn't for the faint-of-heart to compile or configure, and
> the newest revision of kerberos 5 that it will work with is  v1.0.6, which
> has significant security problems--fixed in the newest versions.  (We also
> have an issue where Windows clients fail miserably when authenticating
> against our krb5-bastardized AFS cell, but the lack of discussion of this
> issue leads me to believe that this is either a local problem or else very
> few sites are actively using the migration kit).
> Don't get me wrong, the afs-krb5 migration kit is nice; it just needs a bit
> more active maintenance IMHO...
> PS.  I'd appreciate hearing what other sites are using the 'kit (especially
> if you have Windows clients successfully authenticating against it).
> Cheers,
> Stephen
> --
> Stephen Joyce
> Systems Administrator                                            P A N I C
> Physics & Astronomy Department                         Physics & Astronomy
> University of North Carolina at Chapel Hill         Network Infrastructure
> voice: (919) 962-7214                                        and Computing
> fax: (919) 962-0480                               http://www.panic.unc.edu