[OpenAFS] Re: "ktadd -k <anywhere> afs/xyz@REALM" breaks AFS instantly?

[Brandon S. Allbery KF8NH]

On Feb 14, 2006, at 3:27 , Juha J=E4ykk=E4 wrote:

>> Keytabs are normally not supposed to be shared between multiple
>> machines, and this approach means that kadmind doesn't need to =20
>> have the
>> capability of retrieving keys from the KDC, which is an additional
>> separation of capability and an additional level of security.
>
> Except that AFS requires a shared keytab. Nice. :-) What about
> (Heimdal's) ktutil, does it have the same "problem" as ktadd? And how

Heimdal's "kt_extract" (kadmin command) extracts a key without =20
generating a new one.  (This is generally considered a bad thing; I =20
could see it being limited to kadmin's "local mode" in the future.)  =20
Other mechanisms will indeed create a new key.

> would an AFS cell recover from the unfortunate human error of an admin
> doing the line in the subject? This sounds like a disaster waiting to
> happen, there must be an easy way out.

With heimdal you could use ktutil to copy the newly extracted keytab =20
into the KeyFile:

ktutil copy FILE:mykt AFSKEYFILE:KeyFile

This would still leave all outstanding tokens broken, but "aklog" =20
should recover once the KeyFile is back in sync with the KDC.

--=20
brandon s. allbery     [linux,solaris,freebsd,perl]      =20
allbery@kf8nh.com
system administrator  [openafs,heimdal,too many hats]  =20
allbery@ece.cmu.edu
electrical and computer engineering, carnegie mellon university      =20
KF8NH