Problems with upgrading to Solaris 7 & AFS 3.5 Patch 5 on database servers...

Harald Barth
Tue, 20 Mar 2001 11:35:21 +0100

Hi James, hi openafs-gatekeepers (tiny openafs patch at end)

>     We tried the AFS 3.5 patch 6 binaries after I sent out the request for
> info/help... the new code still has not resolved the problem. With patch 6,
> as with patch 5: login still fails; although klog works. 

OK, I see :-( Glad you got it somehow working with 3.5-3

> (since we somehow missed downloading the patch 4 code and it is now unavailable?)

That's one of many things I do not like - you miss one download and
your chances to compare patch releases go down the drain. It should
not be too difficult to provide all patch releases, even if they are
outdated. It is possible to stick a waring label to old patch levels
("This code may harm you health so use it at your own risk").

> although I am concerned that the kerberos v4 buffer overflow code fix is not
> included.

It is not included if v4 auth works as the fix broke the code.

> Has anyone successfully integrated kerberos v5 into an AFS cell
> with recent kerberos v5 release (it seems that the migration kit does not
> support the  the latest versions), or does anyone have any pointers for this?

At KTH at least 3 cells (2 realms) run the Heimdal kdc. It answers to
v5 and v4 questions. In contrast to the kaserver, the kerberos servers
have a fixed master - slave scheme, so you can not write to the
database (i e change your password) if your master goes down. But of
course you can continue to log in. Other than that I can not see any
limitations going from ka to krb. The Heimdal server stuff seem to
work with clients (for example pam modules) from MIT, too. However,
I might be biased as the Heimdal stuff is developed in the office
next to mine ;-)

Another options is to take the kaserver from OpenAFS and fix the buffer
overrun problems in that one as it seems to be branched out before
the broken fix.

Someone actually using the OpenAFS kaserver might want to try the
patch below (agains version of krb_udp.c) You may want to have
a look at tkt_DecodeTicket and make sure that name and inst and cell
are filled in OK in the first place.


--- krb_udp.c.orig      Tue Mar 20 11:15:46 2001
+++ krb_udp.c   Tue Mar 20 11:25:51 2001
@@ -446,7 +446,10 @@
       code = KERB_ERR_PKT_VER; /* was KABADTICKET */
       goto abort;
-    if (celllen == 0) strcpy (cell, lrealm);
+    if (celllen == 0) {
+      strncpy (cell, lrealm, MAXKTCREALMLEN-1);
+      cell[MAXKTCREALMLEN-1] = 0;
+    }
     if (krb_udp_debug) {
        printf ("UGetTicket: got ticket from '%s'.'%s'@'%s'\n",