[OpenAFS] /usr/afs/etc/KeyFile from krb4?

Gabe ListAccount gabelists@yahoo.com
Thu, 11 May 2006 15:15:17 -0700 (PDT)


--0-822454590-1147385717=:1759
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

There is currently only 1 server.  Will generating a new KeyFile corrupt data or the database, or somehow lose user accounts. Can someone give me  a quick rundown on how to do this, it's been quite a while.  Also, if there is a way to convert the old KeyFile and db to something usable, any pointers would be much appreciated.
 
 Thanks,  
   Gabe
 
"Christopher D. Clausen" <cclausen@acm.org> wrote: Gabe ListAccount  wrote:
> Hello,
>    I have a server that was hacked, and thus a new OS (CentOS4) was
> installed. I setup OpenAFS 1.4 , openafs-krb5-1.4.1 was installed. I
> dropped the old db files as well as the KeyFile into their respective
> directories. I don't think this was appropriate. How do I convert the
> old KeyFile and db (from OpenAFS  1.2.10) to be compatble with krb5?

Uhh, well, if your server was hacked you likely do not want to the use 
the old KeyFile and instead generate a new one.  You would need to add 
the updated key to all AFS servers in your cell and you should remove 
the old key as quickly as possible.

In thet past people have used something called the Kerberos 5 Migration 
Kit to go from AFS kaserver to Kerberos 5.  I'm not sure if that is 
still the recomended thing to do or not though.  I thought that at least 
MIT Kerberos 5 could read the older Kerberos db file from kaserver.

<
-- 
Christopher D. Clausen
ACM@UIUC SysAdmin 



   

---------------------------------
Love cheap thrills? Enjoy PC-to-Phone  calls to 30+ countries for just 2�/min with Yahoo! Messenger with Voice.

		
---------------------------------
New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
--0-822454590-1147385717=:1759
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

There is currently only 1 server.&nbsp; Will generating a new KeyFile corrupt data or the database, or somehow lose user accounts. Can someone give me&nbsp; a quick rundown on how to do this, it's been quite a while.&nbsp; Also, if there is a way to convert the old KeyFile and db to something usable, any pointers would be much appreciated.<br> <br> Thanks,&nbsp; <br> &nbsp; Gabe<br> <blockquote class="replbq" style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"><br><b><i>"Christopher D. Clausen" &lt;cclausen@acm.org&gt;</i></b> wrote:<blockquote class="replbq" style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"> Gabe ListAccount <gabelists @yahoo.com=""> wrote:<br>&gt; Hello,<br>&gt;    I have a server that was hacked, and thus a new OS (CentOS4) was<br>&gt; installed. I setup OpenAFS 1.4 , openafs-krb5-1.4.1 was installed. I<br>&gt; dropped the old db files as well as the KeyFile into their
 respective<br>&gt; directories. I don't think this was appropriate. How do I convert the<br>&gt; old KeyFile and db (from OpenAFS  1.2.10) to be compatble with krb5?<br><br>Uhh, well, if your server was hacked you likely do not want to the use <br>the old KeyFile and instead generate a new one.  You would need to add <br>the updated key to all AFS servers in your cell and you should remove <br>the old key as quickly as possible.<br><br>In thet past people have used something called the Kerberos 5 Migration <br>Kit to go from AFS kaserver to Kerberos 5.  I'm not sure if that is <br>still the recomended thing to do or not though.  I thought that at least <br>MIT Kerberos 5 could read the older Kerberos db file from kaserver.<br><br>&lt;<CDC =""><br>-- <br>Christopher D. Clausen<br>ACM@UIUC SysAdmin <br><br><br></CDC></gabelists></blockquote><br><div>   </div><hr size="1">Love cheap thrills? Enjoy PC-to-Phone <a
 href="http://us.rd.yahoo.com/mail_us/taglines/postman9/*http://us.rd.yahoo.com/evt=39666/*http://messenger.yahoo.com/"> calls to 30+ countries</a> for just 2�/min with Yahoo! Messenger with Voice.</blockquote><br><p>
		<hr size=1>New Yahoo! Messenger with Voice. <a href="http://us.rd.yahoo.com/mail_us/taglines/postman5/*http://us.rd.yahoo.com/evt=39666/*http://messenger.yahoo.com">Call regular phones from your PC</a> and save big.
--0-822454590-1147385717=:1759--