[OpenAFS] aklog vs referrals

Derrick Brashear shadow@gmail.com
Thu, 20 Dec 2007 12:06:58 -0500


------=_Part_17843_32272027.1198170418688
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

On Dec 20, 2007 9:50 AM, John Tang Boyland <boyland@cs.uwm.edu> wrote:

> Jeffrey Altman wrote:
> ] Simon Wilkinson wrote:
> ] > So, in the
> ] > interests of fixing this quickly, we're just going to add the
> ] > afs/inf.ed.ac.uk principal, and get on with our lives.
> ] >
> ] > It's unclear to me what the 'correct' solution to actually fix aklog
> is.
> ]
> ] It is my opinion that the "afs@CELL" principal name is supported for
> ] backwards compatibility with prior practices and that "afs/cell@REALM"
> ] is the current best practice.
>
> Can someone describe the steps necessary to effect this change?  We
> migrated our cell to kerberos V two years ago but still use the
> afs@REALM shorthand.  I would expect that the change involves some
> add_principal and ktadd commands and maybe asetkey and copying
> super-secret files around, but I'm afraid if I tried to do it myself,
> I would get a kvno problem and the fileservers would stop working
> and/or it would be impossible to get AFS tokens.  If it helps,
> there's nothing wrong with leaving the old afs@REALM principal alive
> and working.
>

In heimdal, at least, assuming you don't have a salted password you can just
"rename afs afs/CELL"

Annoyingly, if you use heimdal's kdc as a kaserver emulator, it then breaks
klog, because it doesn't know how to fall back if "afs@" doesn't exist.

------=_Part_17843_32272027.1198170418688
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<br><br><div class="gmail_quote">On Dec 20, 2007 9:50 AM, John Tang Boyland &lt;<a href="mailto:boyland@cs.uwm.edu">boyland@cs.uwm.edu</a>&gt; wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Jeffrey Altman wrote:<br><div><div></div><div class="Wj3C7c">] Simon Wilkinson wrote:<br>] &gt; So, in the<br>] &gt; interests of fixing this quickly, we&#39;re just going to add the<br>] &gt; afs/inf.ed.ac.uk principal, and get on with our lives.
<br>] &gt;<br>] &gt; It&#39;s unclear to me what the &#39;correct&#39; solution to actually fix aklog is.<br>]<br>] It is my opinion that the &quot;afs@CELL&quot; principal name is supported for<br>] backwards compatibility with prior practices and that &quot;
afs/cell@REALM&quot;<br>] is the current best practice.<br><br></div></div>Can someone describe the steps necessary to effect this change? &nbsp;We<br>migrated our cell to kerberos V two years ago but still use the<br>afs@REALM
 shorthand. &nbsp;I would expect that the change involves some<br>add_principal and ktadd commands and maybe asetkey and copying<br>super-secret files around, but I&#39;m afraid if I tried to do it myself,<br>I would get a kvno problem and the fileservers would stop working
<br>and/or it would be impossible to get AFS tokens. &nbsp;If it helps,<br>there&#39;s nothing wrong with leaving the old afs@REALM principal alive<br>and working.<br><font color="#888888"></font></blockquote><div><br>In heimdal, at least, assuming you don&#39;t have a salted password you can just &quot;rename afs afs/CELL&quot;
<br><br>Annoyingly, if you use heimdal&#39;s kdc as a kaserver emulator, it then breaks klog, because it doesn&#39;t know how to fall back if &quot;afs@&quot; doesn&#39;t exist.<br>&nbsp;<br></div></div><br>

------=_Part_17843_32272027.1198170418688--