[OpenAFS] OpenAFS authenticating against multiple Kerberos servers simultaneously

Dan Scott danieljamesscott@gmail.com
Wed, 21 Sep 2011 18:33:42 -0400


On Wed, Sep 21, 2011 at 18:23, Simon Wilkinson <sxw@inf.ed.ac.uk> wrote:
> On 21 Sep 2011, at 23:08, Dan Scott <danieljamesscott@gmail.com> wrote:
>> I have to perform a fairly major upgrade on my Kerberos servers which
>> authenticate our Openafs cell, which means running with 2 different
>> kerberos servers, at least for a short while.
> Running with two different KDCs, both servicing the same realm yet containing different key material is a very bizarre (some might say fundamentally broken) configuration to have.
> Perhaps you could explain the upgrade that you are trying to perform?

Yep, fully understood. :) It's just while I perform the upgrade(s), so
that I can avoid having to re-configure all the clients at once.

I'm running Fedora's FreeIPA


and am in the process of migrating from version 1.2 to 2.1, which
requires a re-installation of the software and migration of the user
information. I have setup a new server running FreeIPA 2 and have
configured a client to authenticate against it. Now I would like to
allow this client to access our OpenAFS cell, which is why, I believe,
(this may be incorrect) I need to add a principal from the new
Kerberos server to the OpenAFS KeyFile. Then I can begin to migrate
other clients over to the new server, and eventually remove the old
server (re-install the new software).

There may be a much easier way of accomplishing this, such as
importing the keytab from the current server into the new one? (Just
thought of that) :)