[OpenAFS] how to install Kerberos AFS Principal??
TIARA System Man
sysman@tiara.sinica.edu.tw
Tue, 7 Apr 2009 15:28:32 +0800
thank you. i got it. :)
i am really afraid i mess up the currently running afs server. i'd
better asked you experts advices. thanks again!
On Tue, Apr 7, 2009 at 2:13 PM, Brandon S. Allbery KF8NH
<allbery@ece.cmu.edu> wrote:
> On 2009 Apr 7, at 2:01, TIARA System Man wrote:
>>
>> i only had afs@REALM. should i create another afs/cell@REALM?
>
> It's not necessary. Current practice is to use afs/cell@REALM but you don=
't
> have to change unless you're planning to have the same Kerberos realm hos=
t
> multiple cells at some point.
>
>> if i do following commands, will it mess up afs server?
>>
>> ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab.afs
>> afs/tiara.sinica.edu.tw
>> asetkey add X /etc/krb5.keytab.afs afs/tiara.sinica.edu.tw
>
> It should be fine as long as X !=3D 3 (and of course X must match the kvn=
o of
> the new principal, which should be 1 at creation).
>
>> what are the benefits to have afs/cell@REALM? please tell me. thank you.
>> :)
>
> The only real benefits are:
> (1) aklog is very slightly faster since it checks afs/cell@REALM first;
> (2) you can host multiple AFS cells from the same Kerberos installation.
>
> Note that even if you decide to do so later but still have the simple
> afs@REALM, you could still create an afs/newcell@REALM and simply not cop=
y
> the afs@REALM key into the new cell's KeyFile. =C2=A0It's only people who=
might
> get confused, not software.
>
> --
> brandon s. allbery [solaris,freebsd,perl,pugs,haskell] allbery@kf8nh.com
> system administrator [openafs,heimdal,too many hats] allbery@ece.cmu.edu
> electrical and computer engineering, carnegie mellon university =C2=A0 =
=C2=A0KF8NH
>
>
>
--=20
Sam Tseng
Academia Sinica
Institute of Astronomy and Astrophysics
Tel: +886-2-3365-2200 ext 742
Fax: +886-2-2367-7849