[OpenAFS] "ktadd -k <anywhere> afs/xyz@REALM" breaks AFS instantly?

[Russ Allbery]

Adam Megacz <megacz@cs.berkeley.edu> writes:

> Wow, I just went through a really confusing experience.  Please tell me
> if this is a correct understanding:

>   1. Exporting a key from the KDC into a keytab using "ktadd" causes
>      the principal's "kvno" to be incremented.

It also causes the key stored in the KDC to be re-randomized, which is
more the problem.  :)

> If I understand correctly, simply exporting the afs principal's key from
> the KDC (regardless of where you're exporting *to*) will instantly break
> all servers in the cell.

Yup.

You have to use the same keytab everywhere; you can't download new copies
with ktadd.  ktadd changes the key.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>