[OpenAFS] Quick assist - admin principal (krb5 KDC)

Russ Allbery rra@stanford.edu
Mon, 01 Jun 2009 13:52:18 -0700

Jeff Blaine <jblaine@kickflop.net> writes:

> We're still using kaserver for now, but I noticed the other day that I
> did not know the password for our krb5 'admin' principal, so
> eventually this needs to be fixed.

Or you can create a different privileged user in AFS.  Either works.
AFS just cares about whether the principal listed in
system:administrators and in UserList, so you can create a new admin
account (or one for each admin, which is what we do).

> The current entry is as such, questions following:
> Principal: admin@RCF.FOO.COM
> Expiration date: Wed Dec 30 19:00:00 EST 2037
> Last password change: [never]
> Password expiration date: [none]
> Maximum ticket life: 1 days 00:00:00
> Maximum renewable life: 1 days 00:00:00
> Last modified: Mon Feb 18 16:12:05 EST 2008 (admin@RCF.FOO.COM)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 1
> Key: vno 21, DES cbc mode with CRC-32, AFS version 3
> Attributes:
> Policy: [none]
> 1.  Once kaserver is turned off, does this enctype need
>     to stay this way, or is this a remnant of me flailing
>     while setting this up back then?

Nope, it can have any enctype you want.  Only the afs key matters.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>