[OpenAFS] Moving a Central File Server with OpenAFS/Kerberos/LDAP to a different subnet

[Holger Rauch]

--xHFwDpU9dbj6ez1V
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline

Hi,

I have to move an OpenAFS file server from one internal subnet (e.g.
10.12.13.0/16) to another (e.g. 10.20.30.0/16). Also, both the DNS
domain (my.old.domain -> my.new.domain) and the Kerberos realm change
(MY.OLD.DOMAIN -> MY.NEW.DOMAIN).

The file server is running Debian Lenny for amd64, OpenAFS 1.4.12 from
Lenny backports, OpenLDAP and MIT Kerberos from standard Lenny.

The Kerberos database is stored in LDAP (initially created using
kdb5_ldap_util).

Now, I'm just not sure as to which steps exactly need to be taken for
the move. Especially, I'm not sure whether to use cross realm
authentication between realms MY.OLD.DOMAIN and MY.NEW.DOMAIN or
whether I can simply rename MY.OLD.DOMAIN to MY.NEW.DOMAIN throughout
my LDAP DIT (e.g. obtained via slapcat and readded via slapadd). Or is
there a totally different way to rename a Kerberos realm stored in an
LDAP DIT? Which alternative is recommended? (The krb5.conf and kdc.conf
files probably need to be adjusted as well).

Furthermore, I probably have to modify /etc/openafs/server/ThisCell so
that it contains the new cell name, right? /etc/openafs/CellServDB
needs the host name changed so that it points to the new FQDN?

Any other hints as to what I have to take into account when moving an
OpenAFS server to a new subnet?

Thanks in advance & kind regards,

    Holger

--xHFwDpU9dbj6ez1V
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkwWJYwACgkQbiVtWpZdKQJ/rwCePWleObFCPuv6Att31JcTQDTw
XiwAnj6mN2s1miPzyBdNU7+W4b/7LzyJ
=BNeg
-----END PGP SIGNATURE-----

--xHFwDpU9dbj6ez1V--