[OpenAFS] Re: renaming a cell?

Stephan Wiesand stephan.wiesand@desy.de
Sat, 28 Apr 2012 21:46:56 +0200 

On Apr 28, 2012, at 00:08 , Andrew Deason wrote:

> On Fri, 27 Apr 2012 19:48:19 +0200
> Stephan Wiesand <stephan.wiesand@desy.de> wrote:
>=20
>> supposed one has to rename an AFS cell (and the krb5 realm =
responsible
>> for authentication), what would be the steps to take? Once the KDCs
>> are fully functional for the new realm, is the following sufficient?
>=20
> I thought renaming a krb5 realm was difficult... isn't the realm name
> used as part of the salt? Or should I just assume you've already =
handled
> this? :)

Please assume I'm dumb and missing the most obvious problems :-)

> Renaming the realm isn't required, but I can certainly see why
> you'd want to.

Luckily, our users don't change passwords with kpasswd directly, but =
through our central user registry, which then propagates the change to =
several realms. Since our password policy enforces changing them every =
six months, we just need to propagate to the new realm in addition for =
that time, and can then swap it in. Host and service keys will have to =
be reissued, but I think that's feasible.

>> 1) shut down all AFS clients, Fileservers, DB servers=20
>> 2) replace all ThisCell & CellServDB files, and the KeyFiles
>> 3) start the servers
>> 4) start the clients
>=20
> Whether or not you even need to restart the clients I think depends on
> how you're using them wrt dynroot. But yeah, I think that's =
sufficient.
> We don't really store the cell name in any databases or anything if
> you're not using kaserver, so a cell doesn't tend to really be aware =
of
> what it's own name is, aside from the entries in CellServDB/ThisCell.

Thanks for the good news.

> Technically I think you may be able to just change client =
configuration,
> with the servers still thinking the cell name is the old one, and it =
may
> at least mostly work. But that's obviously not the recommended way.

I'm most concerned about the clients we don't control. As a quick test, =
I used "fs newcell"to teach a client about a cell with the new name but =
the old db servers. Unauthenticated access seems to work just fine, but =
of course you can't get a token.

Maybe it would work if we kept the old KDCs running for a while, and =
configure the AFS servers to accept tickets for the old realm in =
addition (by putting the old realm in /usr/afs/etc/krb.conf) ?

> I'm sure you're aware that this isn't a very common operation, though,

Painfully aware, yes...

> so this process isn't well-tested. I think I've only done something =
like
> this once or twice, but I don't remember any special steps required.

Thanks a lot for your response,
	Stephan

--=20
Stephan Wiesand
DESY -DV-
Platanenenallee 6
15738 Zeuthen, Germany