[OpenAFS] Win2K AFS server, mirror data+config to RHEL4.5 new
Server?
Jason Edgecombe
jason@rampaginggeek.com
Tue, 19 Aug 2008 08:48:18 -0400
avison48 wrote:
>
> The KDC/Microsoft SysAdmin knows more about Kerberos than I, & knew
> the former admin who built the Win2K AFS server & did tweaking of it; he's
> pretty sure his planned upgrade on the KDC will break this win2K AFS hacked
> kerberos. So he strongly advises migrating AFS to another platform, & our
> standard (now) is SL4.5. Seems a good idea to retire a Win2K server anyway.
>
> His KDC is currently Win2003, I'm not sure what he wants to upgrade.
> But he's quite sure the tweaked kerberos used by the Win2K server will break.
>
> All How-to AFS-server doc found so far seems to expect the AFS admin is
> full KDC admin (and on Unix too). But I have no access to our microsoft
> KDC - am 'just a customer' of it.
>
>
>>> I found a KeyFile on the Win2K AFS server (type data),
>>>
>> The KeyFile is the AFS file that contains the AFS keys.
>> All servers in the AFS cell must have a copy of it. This is not a keytab
>> file.
>>
>
> Thank you for that info! What is done then with the type=data Keyfile from
> a Win2K IBM AFS 3.5 server on an SL4.5 mirrored AFS server?
>
> Is it possible to setup a secondary AFS server 'peer' or 'mirror'??
> Does anyone know or can point to any info?
> There is doc on how to build a secondary database server, but will that
> have 'everything' to take over so the first server can be shut down?
>
> Otherwise the SL4.5 server needs to be built in a wholly test AFS domain
> then rebuilt in a maint outage as 'real' server.
>
> Should the standard path be /etc/openafs, or /usr/afs as the rpm installs?
>
These instructions might help
http://www.openafs.org/pages/doc/QuickStartUnix/auqbg006.htm#HDRWQ99
You should add the SL4.5 box as an additional server. Install openafs,
copy the keyfile over and start the daemons. Then you can move the
volumes to the new server.
Ideally you should add two or three SL4.5 servers as fileserver/DB
servers. Then you won't have an outage when you shutdown the win2k box.
Plan:
1. add new servers as DB/file servers
2. Add new DB servers to CellServDB file on all clients
3. migrate volumes to new servers (vos move)
4. shutdown old server
5. remove old server IP from clients or set up a new box with the same
IP as the win2k box.
three is the recommended number of DB server so that you can still run
vos commands when one server fails. file access is still OK with one DB
server active, but you can't vos move, create, ...
For kerberos, you just need the AFS service principal and a kerberos
account for the AFS admin user. Any other AFS users need kerberos
principals as well, but getting the keytab for the AFS service principal
from the kerberos admin is the critical thing. Getting the keytab should
be unnecessary because you already have an AFS keyfile and I'm assuming
you have an AFS account that has admin privilidges
Sincerely,
Jason