[OpenAFS] Moving AFS {pt,vl,vol?}server

Derek Atkins warlord@MIT.EDU
22 Aug 2002 10:12:52 -0400 

Marcus Watts <mdw@umich.edu> writes:

> > and in the kerberos logs I get
> > 
> > ----- s n i p -----
> > Aug 21 10:22:10 <HOST1> krb5kdc[156](info): TGS_REQ (1 etypes {1}) 192.168.1.5(88): UNKNOWN_SERVER: authtime 1029909803,  turbo@<MY KERBEROS REALM> for afs/<MY CELLNAME>@<MY KERBEROS REALM>, Server not found in Kerberos database
> ...
> 
> Interesting.  In "classic" AFS at least, the only sort of afs ticket
> that will work is a k4 service ticket for "afs@K4-REALM-NAME"; that is,
> a null instance is a requirement.  Looks like you are running an "aklog"

Incorrect.  Even with classic AFS you could use afs.<cell>@REALM for
<cell>==lowercase(REALM).  E.g., afs.athena.mit.edu@ATHENA.MIT.EDU
works just fine in classic AFS.

> that tries for a K5 ticket service ticket for afs/<cellname> then defaults to
> a null instance if this does not exist.  Possibly the intent of that is
> to make it possible to get a service ticket for
> 	"afs/<some-cell>@<another-realm-trusted-a-whole-lot-by-that-cell>"
> which is a fascinating change, to say the least.  There must be some

I'm not sure why you consider this facinating -- it's actually been
supported for a while.  Many sites do this (MIT is not the only one).
If you already have a "global" (read: enterprise-wide) Kerberos
installation, why _NOT_ leverage this for different cells?  For
example, afs/sipb.mit.edu@ATHENA.MIT.EDU, afs/dev.mit.edu@ATHENA.MIT.EDU,
afs/net.mit.edu@ATHENA.MIT.EDU, etc.   The user base is the same,
but there are reasons to run distinct cells.

Yes, everyone has to trust the people running the Athena Kerberos
realm, but everyone is doing that already for their daily work.

> other part of aklog that converts your k5 ticket to a k4 ticket.
> There are lots of versions of aklog floating around that do different
> things; I've no idea which one you've got.

Most likely you need krb524d...

> 				-Marcus Watts
> 				UM ITCS Umich Systems Group

-derek
-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available