[OpenAFS] how to install Kerberos AFS Principal??

Brandon S. Allbery KF8NH allbery@ece.cmu.edu
Tue, 7 Apr 2009 02:13:55 -0400

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit

On 2009 Apr 7, at 2:01, TIARA System Man wrote:
> i only had afs@REALM. should i create another afs/cell@REALM?

It's not necessary. Current practice is to use afs/cell@REALM but you  
don't have to change unless you're planning to have the same Kerberos  
realm host multiple cells at some point.

> if i do following commands, will it mess up afs server?
> ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab.afs afs/ 
> tiara.sinica.edu.tw
> asetkey add X /etc/krb5.keytab.afs afs/tiara.sinica.edu.tw

It should be fine as long as X != 3 (and of course X must match the  
kvno of the new principal, which should be 1 at creation).

> what are the benefits to have afs/cell@REALM? please tell me. thank  
> you. :)

The only real benefits are:
(1) aklog is very slightly faster since it checks afs/cell@REALM first;
(2) you can host multiple AFS cells from the same Kerberos installation.

Note that even if you decide to do so later but still have the simple  
afs@REALM, you could still create an afs/newcell@REALM and simply not  
copy the afs@REALM key into the new cell's KeyFile.  It's only people  
who might get confused, not software.

brandon s. allbery [solaris,freebsd,perl,pugs,haskell] allbery@kf8nh.com
system administrator [openafs,heimdal,too many hats] allbery@ece.cmu.edu
electrical and computer engineering, carnegie mellon university    KF8NH

content-type: application/pgp-signature; x-mac-type=70674453;
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit

Version: GnuPG v2.0.10 (Darwin)