[OpenAFS] kaserver//k5 parallel migration

Russ Allbery rra@stanford.edu
Fri, 19 Jan 2007 07:48:52 -0800

John W Sopko <sopko@cs.unc.edu> writes:

> I got this to work! That is I turned the kaserver back on and made sure
> the kvno were different in /usr/afs/etc/KeyFile. On the same machine I
> can do klog to the kaserver and things seem to work fine. Or I can
> kinit/aklog! Pretty nice! I also tested on another linux machine.

> I do not quite understand why it works though. The fileserver is using
> the afs service keys from AD since the krb.conf file is pointing to the
> AD realm, or the -realm option to the fileserver :-).

A realm specified in krb.conf is supplemental.  A realm matching the name
of the AFS cell is always also supported.

> I even made my user passwords different in the kaserver and the AD
> server and it still works fine! I just want to be sure this will work
> and why. This will be a fantastic migration path for us and I am sure
> others. I think this will work whether or not you are using a
> MIT/Heimdal or Windows KDC server.

Yup, this works.  You can run kaserver and a K5 KDC in parallel and
support tokens generated by either, provided that both keys are present in
the KeyFile with different kvnos.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>