[OpenAFS] Flag this message
avison48
avison48@yahoo.co.uk
Sat, 18 Oct 2008 16:53:41 +0000 (GMT)
Good day, all, & especially Steven Jenkins who responded (thank you!)
I do have some clarification questions. I'm very grateful
for your patience and for your being so helpful.
Rough recap of plan:
. antique Win2K IBM/TransArc 3.5 AFS server
. new RHEL4 OpenAFS server
. Initially make the new server a secondary server of all the old server's
user-account info & data
. then break the join between them & the new server should be an=20
independent AFS server (not secondary)
> The primary question is where your current Kerberos authentication
> comes from. If you're running the kaserver on your IBM/Transarc AFS
> server (and given your other emails, that appears to be the case),
Yes, the Win2K IBM/TransArc 3.5 AFS server runs kaserver. So this is the
"Traditional" AFS kerberos server.
I had thought this antique AFS server was authenticating to our MS2003
kerberos server; but I see it's not, it has its own 'internal' kerberos
server. Our MS2003 KDC admin says there's no "afs" principal.
> A secondary question is how your IP address space will look: given
The old server & the new server are on entirely different subnets,
& numerically the last 2 quads of new server are both higher than the
antique. The old subnet is not really supposed to have servers on it=20
(shrug, that's the way my predecessor built it) but I can change the new=20
server to a lower-numbered IP on the old subnet temporarily, then change it=
=20
back to its correct subnet when it's "the" one & only AFS server of the=20
cell (changing CellServDB on it + clients & etc) - assuming this won't=20
break anything AFS related - for instance, the KeyFile? (if the IP gets=20
embedded in there?)
> Finally, keep in mind that AFS will only automatically synchronize the
> user-account info and the volume location information -- you will
> actually have to move the user data yourself via vos commands (e.g.,
> vos move).
Yes, I see vos copy exists for openafs but not IBM/TransArc.
> In general, doing a bos removehost $server $server-to-forget + bos
> restart $server $process of a server process removes references to
> $server-to-forget.
Ah! So it will 'wake up' with no ties to the old server. What a relief if
the disengagement from old & new life as solo/independent is that simple.
I like your outline, thank you very much for the suggestion.
I need to understand more about the kerberos bits. Many apologies if
this seems thick, & please accept gratitude for your kind patience. =20
The old AFS server runs its own kerberos server kaserver, with an AFS admin
account known to it. (And logically, all the current AFS user accounts
authenticate to that kaserver using klog.)
The new AFS server will run its own kerberos server (I've given up trying=
=20
to use the MS2003 kerberos server) & that kerberos server will have its own
distinct afs principal - yes? - & its own admin principal, & kerberos
principals for all the AFS users. Is that correct?
Or must the new server have the KeyFile from the old AFS server....
but that would point to antique kaserver on the old AFS server?
Must be "No", no future there!
A secondary database server is supposed to run the authentication &
protection services, with data it gets from the original AFS server.
So is it correct that bos addhost, which is to do all that replication,=20
will insert all the old AFS server's info about AFS user accounts, groups,
passwords, expiry dates etc etc etc, *from* the Win2K kaserver, *into* the=
=20
kerberos server running on the new RHEL4 AFS server. Yes?
(if bos addhost starts upclient, the new AFS server must need upclient
configured off when it becomes the only AFS server)
Or does a human have to create all the kerberos principals (not that many)
on the new RHEL4 kerberos server by hand, then do bos addhost?
And the old kaserver on Win2K, & the new kerberos server on RHEL4 won't
... interfere with each other, or anything bad... Is that correct?
Sorry for all the questions & thank you very much for advice!!
=0A=0ASend instant messages to your online friends http://uk.messenger.yaho=
o.com