[OpenAFS] OpenAFS authenticating against multiple Kerberos servers simultaneously

Douglas E. Engert deengert@anl.gov
Thu, 22 Sep 2011 09:52:34 -0500

On 9/21/2011 5:08 PM, Dan Scott wrote:
> Hi,
> I have to perform a fairly major upgrade on my Kerberos servers which
> authenticate our Openafs cell, which means running with 2 different
> kerberos servers, at least for a short while.
> I'd like to create a keytab on the new server and add it to the
> KeyFile of our existing servers. Then when a user tries to access AFS,
> they can be authenticated against whichever Kerberos server they like.
> The problem is that both servers are authoritative for the same realm,
> so I don't think there's any way for OpenAFS to know which server the
> user's Kerberos ticket was obtained from.

As Simon pointed out, this very bizarre and could effect all of your
services not just Kerberos. I am surprised RedHat would not
have a transition plan.

But a quick glance of the notes it looks like they are saying that there
is no upgrade on a single machine, but you could build new KDCs,
freeze password changes and other datebase changes then migrate
the data which should include all the keys from old to new.

At his point both sets of KDCs should be issuing tickets using the
same keys. You could run like this, as long as no database updates
are needed, or you could swap host names and IP numbers of the
old and new KDCs.

That said, there is one trick that can be used with AFS at least.
This assumes that both sets of KDCs represent the same set of users.
Since the AFS servers are still using DES keys stored in the KeyFile,
one can add multiple keys each with a different KVNO.
The new KDCs could issue new keys with different KVNOs, from the old
server The AFS server does not care as they can decrypt the tokens
form either. (This was the trick used by the old gssklog and gsiklog.)

This quickly gets complicated if a user gets a krbtgt from one
set of KDCs, but tries to use it against the other set. Unless
the keys are the same or both sets of KDCs know about the others keys
(with different KVNOs, (think of this as cross realm with your evil twin))
this wont work.

Servers would also need two sets of keys, with the old KDCs using
one range of KVNO and the new KDCS using a different range of KVNOs.

> Please can you tell me if it's possible? And if so, how?
> Thanks,
> Dan Scott
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444