[OpenAFS-devel] Changing keys

[Neulinger, Nathan R.]

I'm talking to transarc about this, but I figured I'd ask others that may
have more experience with it.

When changing the afs KeyFile/the afs principal, is it necessary to restart
servers (fs/pt/vl/vol/bos)

Additionally, it appears that bos at least doesn't handle multiple versions
of a key:

...
    /* opened the cell databse */
    bozo_confdir = tdir;
    code = afsconf_GetKey(tdir, 999, &tkey);

    /* allow super users to manage RX statistics */
    rx_SetRxStatUserOk(bozo_rxstat_userok);
...

What happens with the other servers? Can they reasonably handle multiple
keys (i.e. people authenticated prior to changing the princ and after
changing the princ).

It looks to me like the fileserver at least will attempt to reread the
keyfile whenever it has a failed access of any kind.

Has anyone here actually changed the afs key while afs is running and had it
work successfully?

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul@umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216