[OpenAFS] Re: "ktadd -k <anywhere> afs/xyz@REALM" breaks AFS instantly?

[Ken Hornstein]

>It's not a bad idea to rekey one's services from time to time. It's just
>temporarily disruptive if one doesn't go through the steps in the right order
>(which for AFS would be to distribute the new key to the AFS servers
>*before* the KDC starts issuing tickets with it).

I agree in theory you should get the key to the KeyFile before the KDC
starts issuing tickets with that key.  But I've rekeyed the AFS
fileservers a number of times, and basically it's not a problem.
Assuming you're using upclient/upserver, the KeyFile gets distributed
rather quickly.  It never is a problem in practice.

--Ken