[OpenAFS] kaserver//k5 parallel migration
Russ Allbery
rra@stanford.edu
Fri, 19 Jan 2007 07:48:52 -0800
John W Sopko <sopko@cs.unc.edu> writes:
> I got this to work! That is I turned the kaserver back on and made sure
> the kvno were different in /usr/afs/etc/KeyFile. On the same machine I
> can do klog to the kaserver and things seem to work fine. Or I can
> kinit/aklog! Pretty nice! I also tested on another linux machine.
> I do not quite understand why it works though. The fileserver is using
> the afs service keys from AD since the krb.conf file is pointing to the
> AD realm, or the -realm option to the fileserver :-).
A realm specified in krb.conf is supplemental. A realm matching the name
of the AFS cell is always also supported.
> I even made my user passwords different in the kaserver and the AD
> server and it still works fine! I just want to be sure this will work
> and why. This will be a fantastic migration path for us and I am sure
> others. I think this will work whether or not you are using a
> MIT/Heimdal or Windows KDC server.
Yup, this works. You can run kaserver and a K5 KDC in parallel and
support tokens generated by either, provided that both keys are present in
the KeyFile with different kvnos.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>