[OpenAFS] OpenAFS authenticating against multiple Kerberos servers simultaneously

Dan Scott danieljamesscott@gmail.com
Thu, 22 Sep 2011 03:31:29 -0400


On Thu, Sep 22, 2011 at 03:05, Sergio Gelato <Sergio.Gelato@astro.su.se> wr=
> * Dan Scott [2011-09-21 18:33:42 -0400]:
>> I'm running Fedora's FreeIPA
>> http://freeipa.org/
>> and am in the process of migrating from version 1.2 to 2.1, which
>> requires a re-installation of the software and migration of the user
>> information.
> Is that true? Where is it documented? (I've just looked at the documentat=
> for v2 and all I could find about upgrading was a suggestion to set up a
> test replica or two, isolate it from the production setup, then simply
> upgrade using yum. Have you tried this?)

No, I haven't, because two developers confirmed that I'd need to migrate:


Do you have a link for the mention of the yum upgrade?

> If it's true, it will be a reason to steer well clear of that product.
> From what I understand, the underlying KDC is MIT Kerberos, both in v1
> and in v2. It should be possible to upgrade that component in place, at
> least.

Well it's a little late now, we're already running this system and I
imagine that a migration away from FreeIPA would be even more
troublesome. The integrated LDAP schema has changed significantly,
which I believe is why in-place upgrades aren't supported.

> Anyway, if you really must switch realms you should at least do it the
> proper way: pick some other name for the new realm, and use cross-realm
> trust as needed during the migration.

That's just it, the migration doesn't necessarily require a realm
switch. Maybe I do need to though, to accomplish what I want.

>> =A0 =A0 =A0 =A0 =A0 =A0 =A0I have setup a new server running FreeIPA 2 a=
nd have
>> configured a client to authenticate against it. Now I would like to
>> allow this client to access our OpenAFS cell, which is why, I believe,
>> (this may be incorrect) I need to add a principal from the new
>> Kerberos server to the OpenAFS KeyFile. Then I can begin to migrate
>> other clients over to the new server, and eventually remove the old
>> server (re-install the new software).
>> There may be a much easier way of accomplishing this, such as
>> importing the keytab from the current server into the new one? (Just
>> thought of that) :)
> You mean the KDC database? Yes, I would certainly hope so.

No, I just mean the afs/EXAMPLE.COM principal, can I get *identical*
principals on both the old and new servers, so that OpenAFS will
authenticate against either, simultaneously.