Problems with upgrading to Solaris 7 & AFS 3.5 Patch 5 on database servers...

[Russ Allbery]

James Prater <jprater@alw.nih.gov> writes:

> We tried the AFS 3.5 patch 6 binaries after I sent out the request for
> info/help... the new code still has not resolved the problem. With patch
> 6, as with patch 5: login still fails; although klog works. This new
> release code is worse than Transarc's pre-IBM updates IMHO. If we
> utilise the kaserver from the AFS 3.5 patch 3 binaries (since we somehow
> missed downloading the patch 4 code and it is now unavailable?) all
> seems well, although I am concerned that the kerberos v4 buffer overflow
> code fix is not included.

As I understand it, the buffer overflow fix is what broke it.  The first
analysis that I read indicated that it rendered the kaserver incapable of
handing out service tickets; at the very least, it does severe damage to
its ability to serve as a functioning K4 kdc.

> Has anyone successfully integrated kerberos v5 into an AFS cell with
> recent kerberos v5 release (it seems that the migration kit does not
> support the the latest versions), or does anyone have any pointers for
> this?  This might be a better solution as one is not dependent on IBM?

Better, maybe, but it's a major undertaking if you've already got a large
K4 realm.  We've been trying to line up all the ducks for that switch for
the past four years or so (admittedly a good chunk of that time was wasted
on DCE, which I'll be happy if I never see again).

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>