Win2K AFS server, mirror data+config to RHEL4.5 new Server?

Hello All,

This looks like a very active & helpful list. There didn't seem anything in
the May-August archives so far on my question topic, so I'll ask.

I've inherited a well-working Windows2000 AFS server that's had some
hacking to make it talk Krb5 (I believe). I don't know much about it,
it works very well.
But we wish to move its data & functions to ScientificLinux 4.5 (equivalent
to RHEL4.5) on new hardware.

Our KDC is a Windows server managed by someone else who wants to upgrade
it, which will probably break krb to the Win2K AFS server.

The Win2K AFS server has many XP & Linux clients. The Linux clients get
config in /usr/vice/etc from openafs-client.i386 1.4.6-58.SL4

Ideally can one create a 2nd server (RHEL4.5) in the same AFS realm (I'm
unclear on the difference between an AFS realm & a Kerberos realm - are
they different or the same?), which mirrors everything with the 1st Win2K
server - data, config, users, etc; then quickly retire the Win2K server.
Is that possible?

If so, I have a small RHEL4.5 test machine which is currently a client of
the Win2K AFS server, would like to make it into an AFS server (it will
need the same disk space - only 100GB); then do same on  he real new server
hardware with RHEL4.5, then retire all but that new RH AFS server.

Pointers welcome!

I found a KeyFile on the Win2K AFS server (type = data), but am unsure what
to do with it. Does that become /etc/krb5.keytab, or does /etc/krb5.keytab
only exist on a Unix kerberos server?
We don't have one, & someone else manages the Windows KDC.

I've installed openafs-server.i386 1.4.6-58.SL4 onto test machine, which
made /usr/afs/bin & /usr/afs/logs; /usr/vice/etc already exists since it's
an AFS client. I assume one must ln -s /usr/vice/etc /usr/afs/etc?

Online doc seems to imply /etc/openafs as main directory, also
/usr/libexec/openafs is mentioned (but doesn't exist).
Is the correct path /usr/afs or /etc/openafs ?
Current RPMs make /usr/afs & /usr/vice/etc, so one is just puzzled.


Very grateful for your kind help,
Winnie L

Send instant messages to your online friends http://uk.messenger.yahoo.com
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@...
https://lists.openafs.org/mailman/listinfo/openafs-info

avison48 wrote:

> I've inherited a well-working Windows2000 AFS server that's had some
> hacking to make it talk Krb5 (I believe).

Your server OS is Windows 2000.  What is the AFS Server version?

> Our KDC is a Windows server managed by someone else who wants to upgrade
> it, which will probably break krb to the Win2K AFS server.

Why do you believe this to be true?

> I found a KeyFile on the Win2K AFS server (type = data),

The KeyFile is the AFS file that contains the AFS keys.  All servers in
the AFS cell must have a copy of it.  This is not a keytab file.

Jeffrey Altman <jaltman@...> wrote:
> avison48 wrote:
>> Our KDC is a Windows server managed by someone else who wants to
>> upgrade it, which will probably break krb to the Win2K AFS server.
>
> Why do you believe this to be true?

An upgrade of Active Directory from Windows 2000 to Windows 2003
increments all kvnos and WILL break all non-Windows machines that have
had keytabs extracted for them.  Yes, this did happen to me when campus
upgraded AD.

You can of course re-extract the keytabs and fix everything, but it is a
real annoyance.

<<CDC


_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@...
https://lists.openafs.org/mailman/listinfo/openafs-info

Thank you very much for responding.

> Your server OS is Windows 2000.  What is the AFS Server
> version?

IBM AFS v3.5 (works great)

> > Our KDC is a Windows server managed by someone else who wants to upgrade
> > it, which will probably break krb to the Win2K AFS server.
>
> Why do you believe this to be true?

The KDC/Microsoft SysAdmin knows more about Kerberos than I, & knew
the former admin who built the Win2K AFS server & did tweaking of it; he's
pretty sure his planned upgrade on the KDC will break this win2K AFS hacked
kerberos. So he strongly advises migrating AFS to another platform, & our
standard (now) is SL4.5. Seems a good idea to retire a Win2K server anyway.

His KDC is currently Win2003, I'm not sure what he wants to upgrade.
But he's quite sure the tweaked kerberos used by the Win2K server will break.

All How-to AFS-server doc found so far seems to expect the AFS admin is
full KDC admin (and on Unix too). But I have no access to our microsoft
KDC - am 'just a customer' of it.

> > I found a KeyFile on the Win2K AFS server (type data),
>
> The KeyFile is the AFS file that contains the AFS keys.
> All servers in the AFS cell must have a copy of it.  This is not a keytab
> file.

Thank you for that info! What is done then with the type=data Keyfile from
a Win2K IBM AFS 3.5 server on an SL4.5 mirrored AFS server?

Is it possible to setup a secondary AFS server 'peer' or 'mirror'??
Does anyone know or can point to any info?
There is doc on how to build a secondary database server, but will that
have 'everything' to take over so the first server can be shut down?

Otherwise the SL4.5 server needs to be built in a wholly test AFS domain
then rebuilt in a maint outage as 'real' server.

Should the standard path be /etc/openafs, or /usr/afs as the rpm installs?

Very grateful for any help!


Send instant messages to your online friends http://uk.messenger.yahoo.com
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@...
https://lists.openafs.org/mailman/listinfo/openafs-info

avison48 wrote: These instructions might help
http://www.openafs.org/pages/doc/QuickStartUnix/auqbg006.htm#HDRWQ99

You should add the SL4.5 box as an additional server. Install openafs,
copy the keyfile over and start the daemons. Then you can move the
volumes to the new server.

Ideally you should add two or three SL4.5 servers as fileserver/DB
servers. Then you won't have an outage when you shutdown the win2k box.

Plan:
1. add new servers as DB/file servers
2. Add new DB servers to CellServDB file on all clients
3. migrate volumes to new servers (vos move)
4. shutdown old server
5. remove old server IP from clients or set up a new box with the same
IP as the win2k box.

three is the recommended number of DB server so that you can still run
vos commands when one server fails.  file access is still OK with one DB
server active, but you can't vos move, create, ...

For kerberos, you just need the AFS service principal and a kerberos
account for the AFS admin user. Any other AFS users need kerberos
principals as well, but getting the keytab for the AFS service principal
from the kerberos admin is the critical thing. Getting the keytab should
be unnecessary because you already have an AFS keyfile and I'm assuming
you have an AFS account that has admin privilidges

Sincerely,
Jason
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@...
https://lists.openafs.org/mailman/listinfo/openafs-info

avison48 wrote:
> Thank you very much for responding.
>
>> Your server OS is Windows 2000.  What is the AFS Server
>> version?
>
> IBM AFS v3.5 (works great)

That is what I expected.  The OpenAFS servers do not work very
well and no one has put the time into fixing them.

You keep saying "hacked".  The IBM AFS Servers (regardless of platform)
do not support Kerberos v5 ticket formats.  Therefore, the way that a
Kerberos v5 KDC (such as Windows 2003) can be used is for authentication
is to create an "afs/<cell>@<REALM>" service principal, mark it for DES
only encryption, copy the DES key to the AFS KeyFile using a keytab and
asetkey.   A krb524 and/or a kaforwarder daemon must then be installed
on the AFS server in order to obtain AFS tokens in the Kerberos v4
format understood by the IBM Servers.

Now, if Active Directory is already running on Windows 2003, there is
not going to be a key change for AFS as a result of your upgrade.

Perhaps your admin is simply worried that the IBM AFS Server will not
install on Windows 2003.

In any case, there are many reasons to upgrade your servers to OpenAFS.
If you would prefer to stay on Windows for your AFS Servers and have a
few pounds to invest in its support, I would be happy to work with you
off-line to get you OpenAFS Server binaries that will work on Windows
2003 and 2008.

>>> I found a KeyFile on the Win2K AFS server (type data),
>> The KeyFile is the AFS file that contains the AFS keys.
>> All servers in the AFS cell must have a copy of it.  This is not a keytab
>> file.
>
> Thank you for that info! What is done then with the type=data Keyfile from
> a Win2K IBM AFS 3.5 server on an SL4.5 mirrored AFS server?

A binary copy via a secure method is sufficient.



_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@...
https://lists.openafs.org/mailman/listinfo/openafs-info

* Jason Edgecombe [2008-08-19 08:48:18 -0400]:
> avison48 wrote:
> > Is it possible to setup a secondary AFS server 'peer' or 'mirror'??
> > Does anyone know or can point to any info?
> > There is doc on how to build a secondary database server, but will that
> > have 'everything' to take over so the first server can be shut down?

> These instructions might help
> http://www.openafs.org/pages/doc/QuickStartUnix/auqbg006.htm#HDRWQ99
>
> You should add the SL4.5 box as an additional server. Install openafs,
> copy the keyfile over and start the daemons. Then you can move the
> volumes to the new server.

There may be a catch in his case, though: the ubik bug that came to
light in January 2004 (2^30 seconds after the UNIX epoch). What will
happen if his existing dbserver hasn't been patched?
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@...
https://lists.openafs.org/mailman/listinfo/openafs-info

Sergio Gelato wrote: This is an excellent point.  If the IBM AFS 3.5 servers have not been
patched the dbservers will be unable to elect a master and it will not
be possible to expand the cell.

IBM did release updates to the Windows product since the ubik bug was
fixed.

Jeffrey Altman