[OpenAFS] OpenAFS Project List
Kevin Rowland
krowland@nd.edu
Wed, 14 Mar 2001 18:35:01 -0500
Stephen Joyce wrote:
>
> the newest revision of kerberos 5 that it will work with is v1.0.6, which
FWIW, I created a quick patch for the afs-krb5-1.3 migration kit that
allows it to build and run against MIT K5-1.2.x distribution (I'm sure
others have as well). Here's what I found:
- configure.in: crypto library name change
- Makefile.in: had to add the krb5 and k5crypto libs to
the end of FAKEKA_LIBS
- krb_util.c: krb5_xfree() macro no longer in krb5.h
- afs2k5db.c: replace &master_eblock with master_kblock.enctype
in krb5_db_fetch_mkey() call
- afs2k5db.c: replace &master_eblock with &master_kblock
in krb5_dbekd_encrypt_key_data() call
- keyfile_dump.c: replace &master_eblock with master_kblock.enctype
in krb5_db_fetch_mkey() call
- keyfile_dump.c: replace &master_eblock with &master_kblock
in krb5_dbekd_encrypt_key_data() call
fakeka caused some warnings but I traced them back to a prototype
definition in the 1.2.x code that didn't change the underlying parameter
types (u_char *) so deemed it harmless...
I just modified the .in files with the correct crypto libraries and
rebuilt configure, but perhaps the better way would be to make configure
check for either 'libcrypto' or 'libk5crypto' and act accordingly...
We have tested afs2k5db and keyfile_dump with these simple mods and they
seem to work fine. We have also found that fakeka and ka-forwarder works
as-is with 1.2.x dist.
I was going to allow a little more "test-time" to flow before bothering
Ken with these details, but I would be glad to share the patch with any
who might want it.
-- kevin
/-------------------------------------------------------------------\
| Kevin Rowland Phone: (219)631-4745 |
| Sr. Systems Engineer Email: krowland@nd.edu |
| Office of Information Technology G208 Hesburgh Library |
| University of Notre Dame Notre Dame, IN 46556 |
\-------------------------------------------------------------------/
Stephen Joyce wrote:
>
> On Tue, 13 Mar 2001, Derrick J Brashear wrote:
>
> > Some corrections to this table
> >
> > On Tue, 13 Mar 2001, Laura Stentz wrote:
> >
> > > |------------------+--------------+---------------+----------------------|
> > > | Project | Status | Priority | Contact Points |
> > > | Description | | | |
> > > |------------------+--------------+---------------+----------------------|
> > > | Kerberos v. 5 | In progress | N/A | Ken Hornstein, Doug |
> > > | | | | Englert |
> >
> > This doesn't really refer to a project; There's no "progress" to be made.
> > Doug and Ken have made available tools to enable the use of AFS in a
> > Kerberos 5 environment, in preference to the use of the kaserver.
>
> While it is true that these tools exist, I would not agree that there's no
> progree to be made! The afs-krb5 migration kit is quite handy (we've
> been using it for several years now--thanks Ken and Doug!) it does have
> shortcomings. It isn't for the faint-of-heart to compile or configure, and
> the newest revision of kerberos 5 that it will work with is v1.0.6, which
> has significant security problems--fixed in the newest versions. (We also
> have an issue where Windows clients fail miserably when authenticating
> against our krb5-bastardized AFS cell, but the lack of discussion of this
> issue leads me to believe that this is either a local problem or else very
> few sites are actively using the migration kit).
>
> Don't get me wrong, the afs-krb5 migration kit is nice; it just needs a bit
> more active maintenance IMHO...
>
> PS. I'd appreciate hearing what other sites are using the 'kit (especially
> if you have Windows clients successfully authenticating against it).
>
> Cheers,
> Stephen
> --
> Stephen Joyce
> Systems Administrator P A N I C
> Physics & Astronomy Department Physics & Astronomy
> University of North Carolina at Chapel Hill Network Infrastructure
> voice: (919) 962-7214 and Computing
> fax: (919) 962-0480 http://www.panic.unc.edu