[OpenAFS] Re: rxk error: caller not authorized
Christian Ospelkaus
christian@core-coutainville.org
Sun, 25 Apr 2004 14:57:33 +0200
> Do you mean rename the "afs" principal in the kerberos database to
> "afs/lns.mit.edu"? How does one do that? The current krb V5 FAQ states
> that this is not implemented, and my copy of kadmin.local doesn't offer
> the "renprinc" subcommand. We're running krb5-1.2.4 on the servers and
> krb5-1.2.7 on the clients. The FAQ recommends simply deleting and
> recreating a new principal instead, but that's essentially what I was
> thinking in 1) before. Would an upgrade to krb5-1.3.x offer the means to
> do what you recommend?
>
> http://www.faqs.org/faqs/kerberos-faq/general/section-54.html
I don't know if MIT gives you that option, but under heimdal, you can do the
following: using kadmin's dump -d command, you can dump the whole database
into a text file in a human-readable form. You can then delete all lines
except the afs principal from the file, change the name of the principal in
the one remaining line and import it back into the database using kadmin's
merge command. Then you have both the afs and the afs/cell principals with
identical keys. You don't need to mess with your fileservers. Experts, is it
OK to have both principals with identical keys in the database? Best regards,
Christian