[OpenAFS] Moving volumes between different cell and different
realm names
Benjamin Kaduk
kaduk@MIT.EDU
Tue, 11 Oct 2016 21:43:40 -0400 (EDT)
On Tue, 11 Oct 2016, Andreas Ladanyi wrote:
> Am 10.10.2016 um 17:24 schrieb Jeffrey Altman:
> >>> And you need to install the keys from Cell B onto the fileserver.
> >> The old afs server doesnt support rxkad, only single des.
> >> The new afs server works with rxkad.
> >>
> >> Is this a problem ?
> > I believe you meant to say the new afs server uses rxkad-k5+kdf.
> Yes, thank you :-)
> >
> > If you have deployed non-DES keys to Cell B, then you cannot move the
> > fileserver from Cell A to Cell B unless you first upgrade the fileserver
> > to a version of OpenAFS that supports rxkad-k5+kdf.
> Ok, so i have to upgrade the old afs server (now cell A and in future
> cell B, realm A) to release minimum of 1.6.5 to use rxkad-k5+kd f
> extension and copy the non-des keys from the new afs server (cell B,
> realm B) to the old afs server ?
>
> Or, i have to switch the new afs server back to single des keys mode and
> copy the key from the old afs server using single des to the new afs
> server, but only for the vos move process ?
You will need to either upgrade the software on the old server or add back
a DES key to cell B. It should be possible to renerate a random DES key
that is not known to Kerberos, and install that key on all the cell B
machines as well as the old server; that key would then be used for
server-to-server communications from the old server to cell B servers but
nothing else. (The other cell B servers would not be able to authenticate
to the old server, but I believe they do not need to do so for the volume
move operation you wish to undertake.)
-Ben