[OpenAFS] how to install Kerberos AFS Principal??
Brandon S. Allbery KF8NH
Tue, 7 Apr 2009 02:13:55 -0400
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
On 2009 Apr 7, at 2:01, TIARA System Man wrote:
> i only had afs@REALM. should i create another afs/cell@REALM?
It's not necessary. Current practice is to use afs/cell@REALM but you
don't have to change unless you're planning to have the same Kerberos
realm host multiple cells at some point.
> if i do following commands, will it mess up afs server?
> ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab.afs afs/
> asetkey add X /etc/krb5.keytab.afs afs/tiara.sinica.edu.tw
It should be fine as long as X != 3 (and of course X must match the
kvno of the new principal, which should be 1 at creation).
> what are the benefits to have afs/cell@REALM? please tell me. thank
> you. :)
The only real benefits are:
(1) aklog is very slightly faster since it checks afs/cell@REALM first;
(2) you can host multiple AFS cells from the same Kerberos installation.
Note that even if you decide to do so later but still have the simple
afs@REALM, you could still create an afs/newcell@REALM and simply not
copy the afs@REALM key into the new cell's KeyFile. It's only people
who might get confused, not software.
brandon s. allbery [solaris,freebsd,perl,pugs,haskell] firstname.lastname@example.org
system administrator [openafs,heimdal,too many hats] email@example.com
electrical and computer engineering, carnegie mellon university KF8NH
content-type: application/pgp-signature; x-mac-type=70674453;
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (Darwin)
-----END PGP SIGNATURE-----