[OpenAFS] Moving a Central File Server with OpenAFS/Kerberos/LDAP to a different subnet

Holger Rauch holger.rauch@empic.de
Mon, 14 Jun 2010 14:50:20 +0200

Content-Type: text/plain; charset=utf-8
Content-Disposition: inline


I have to move an OpenAFS file server from one internal subnet (e.g. to another (e.g. Also, both the DNS
domain (my.old.domain -> my.new.domain) and the Kerberos realm change

The file server is running Debian Lenny for amd64, OpenAFS 1.4.12 from
Lenny backports, OpenLDAP and MIT Kerberos from standard Lenny.

The Kerberos database is stored in LDAP (initially created using

Now, I'm just not sure as to which steps exactly need to be taken for
the move. Especially, I'm not sure whether to use cross realm
authentication between realms MY.OLD.DOMAIN and MY.NEW.DOMAIN or
whether I can simply rename MY.OLD.DOMAIN to MY.NEW.DOMAIN throughout
my LDAP DIT (e.g. obtained via slapcat and readded via slapadd). Or is
there a totally different way to rename a Kerberos realm stored in an
LDAP DIT? Which alternative is recommended? (The krb5.conf and kdc.conf
files probably need to be adjusted as well).

Furthermore, I probably have to modify /etc/openafs/server/ThisCell so
that it contains the new cell name, right? /etc/openafs/CellServDB
needs the host name changed so that it points to the new FQDN?

Any other hints as to what I have to take into account when moving an
OpenAFS server to a new subnet?

Thanks in advance & kind regards,


Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

Version: GnuPG v1.4.10 (GNU/Linux)