[OpenAFS] Re: renaming a cell?
Sat, 28 Apr 2012 21:46:56 +0200
On Apr 28, 2012, at 00:08 , Andrew Deason wrote:
> On Fri, 27 Apr 2012 19:48:19 +0200
> Stephan Wiesand <firstname.lastname@example.org> wrote:
>> supposed one has to rename an AFS cell (and the krb5 realm =
>> for authentication), what would be the steps to take? Once the KDCs
>> are fully functional for the new realm, is the following sufficient?
> I thought renaming a krb5 realm was difficult... isn't the realm name
> used as part of the salt? Or should I just assume you've already =
> this? :)
Please assume I'm dumb and missing the most obvious problems :-)
> Renaming the realm isn't required, but I can certainly see why
> you'd want to.
Luckily, our users don't change passwords with kpasswd directly, but =
through our central user registry, which then propagates the change to =
several realms. Since our password policy enforces changing them every =
six months, we just need to propagate to the new realm in addition for =
that time, and can then swap it in. Host and service keys will have to =
be reissued, but I think that's feasible.
>> 1) shut down all AFS clients, Fileservers, DB servers=20
>> 2) replace all ThisCell & CellServDB files, and the KeyFiles
>> 3) start the servers
>> 4) start the clients
> Whether or not you even need to restart the clients I think depends on
> how you're using them wrt dynroot. But yeah, I think that's =
> We don't really store the cell name in any databases or anything if
> you're not using kaserver, so a cell doesn't tend to really be aware =
> what it's own name is, aside from the entries in CellServDB/ThisCell.
Thanks for the good news.
> Technically I think you may be able to just change client =
> with the servers still thinking the cell name is the old one, and it =
> at least mostly work. But that's obviously not the recommended way.
I'm most concerned about the clients we don't control. As a quick test, =
I used "fs newcell"to teach a client about a cell with the new name but =
the old db servers. Unauthenticated access seems to work just fine, but =
of course you can't get a token.
Maybe it would work if we kept the old KDCs running for a while, and =
configure the AFS servers to accept tickets for the old realm in =
addition (by putting the old realm in /usr/afs/etc/krb.conf) ?
> I'm sure you're aware that this isn't a very common operation, though,
Painfully aware, yes...
> so this process isn't well-tested. I think I've only done something =
> this once or twice, but I don't remember any special steps required.
Thanks a lot for your response,
15738 Zeuthen, Germany