[OpenAFS] OpenAFS authenticating against multiple Kerberos servers simultaneously

Simon Wilkinson sxw@inf.ed.ac.uk
Thu, 22 Sep 2011 09:07:12 +0100

On 22 Sep 2011, at 08:31, Dan Scott <danieljamesscott@gmail.com> wrote:
> No, I haven't, because two developers confirmed that I'd need to migrate:
> https://www.redhat.com/archives/freeipa-users/2011-May/msg00250.html
> https://www.redhat.com/archives/freeipa-users/2011-May/msg00251.html

If the contents of that first message is correct (that, in order to upgrade,=
 you have to regenerate the key tabs for every Kerberised service) then Free=
IPA has a fundamentally broken upgrade path. I would be really nervous about=
 deploying something where so little consideration is given to upgrades. The=
 underlying Kerberos service has no problem with providing an upgrade path -=
 it beggars belief that FreeIPA doesn't have one.

The problem is the one you noted earlier. If you have two KDCs, both of whic=
h claim to be the same realm, but which contain different key material, ther=
e's absolutely no way for a service to tell which KDC issued a particular ti=
cket, and so which key should be used to decrypt it. This means that the _on=
ly_ way to upgrade such a system is to shut everything down, remove all of t=
he old key tabs, and create new ones for every service. You'll have a comple=
te service outage for the period of time it takes you to do this work. It's w=
orth noting that this isn't a problem of AFS's making - the issue will affec=
t every Kerberised service that you run.

>> Anyway, if you really must switch realms you should at least do it the
>> proper way: pick some other name for the new realm, and use cross-realm
>> trust as needed during the migration.
> That's just it, the migration doesn't necessarily require a realm
> switch. Maybe I do need to though, to accomplish what I want.

No, the fact that FreeIPA doesn't support importing the old KDC database int=
o the newer KDC means that the only way to achieve what you are trying to do=
 without significant downtime is by changing your realm name. Of course, thi=
s means tha anywhere that the realm is used in access control rules will hav=
e to be updated too.

I think it's probably worth pushing the FreeIPA developers about an upgrade p=
ath for Kerberos key material. If they are unable, or unwilling, to provide o=
ne, then I would give serious consideration as to whether it is an appropria=
te piece of software to have at the heart of your organisations infrastructu=
re. If an upgrade from version 1 to 2 requires a flag day, then what about f=
rom version 2 to 3, or from 3 to 4?