[OpenAFS] Re: rxk error: caller not authorized

J Maynard Gelinas gelinas@lns.mit.edu
Sun, 25 Apr 2004 09:25:04 -0400 (EDT)


On Sun, 25 Apr 2004, Christian Ospelkaus wrote:

> 
> >    Do you mean rename the "afs" principal in the kerberos database to
> > "afs/lns.mit.edu"? How does one do that? The current krb V5 FAQ states
> > that this is not implemented, and my copy of kadmin.local doesn't offer
> > the "renprinc" subcommand. We're running krb5-1.2.4 on the servers and
> > krb5-1.2.7 on the clients. The FAQ recommends simply deleting and
> > recreating a new principal instead, but that's essentially what I was
> > thinking in 1) before. Would an upgrade to krb5-1.3.x offer the means to
> > do what you recommend?
> >
> > http://www.faqs.org/faqs/kerberos-faq/general/section-54.html
> 
> I don't know if MIT gives you that option, but under heimdal, you can do
> the following: using kadmin's dump -d command, you can dump the whole
> database into a text file in a human-readable form. You can then delete
> all lines except the afs principal from the file, change the name of the
> principal in the one remaining line and import it back into the database
> using kadmin's merge command. Then you have both the afs and the afs/cell
> principals with identical keys. You don't need to mess with your
> fileservers. Experts, is it OK to have both principals with identical keys
> in the database? Best regards,
> 
> Christian
> 

  Hi Christian,

  Thanks for your reply. The MIT kerberos distribution comes with a
krb5_util command which offers a db dump option. I've never used it, but
if it would allow me to dump out the db in ASCII and safely copy the
principal so that I could have both "afs" and "afs/lns.mit.edu" in the
same db, that would be the best outcome. I have backups of the db files,
so I could just move a redundant copy back in place if I blew up the
edited version. BTW: sorry about breaking the thread; I've turned off
message digests to fix that. --M