[OpenAFS] Re: renaming a cell?

[Andrew Deason]

On Sat, 28 Apr 2012 21:46:56 +0200
Stephan Wiesand <stephan.wiesand@desy.de> wrote:

> > I thought renaming a krb5 realm was difficult... isn't the realm
> > name used as part of the salt? Or should I just assume you've
> > already handled this? :)
> 
> Please assume I'm dumb and missing the most obvious problems :-)
[...]
> Luckily, our users don't change passwords with kpasswd directly, but
> through our central user registry, which then propagates the change to
> several realms. Since our password policy enforces changing them every
> six months, we just need to propagate to the new realm in addition for
> that time, and can then swap it in. Host and service keys will have to
> be reissued, but I think that's feasible.
[...]
> Maybe it would work if we kept the old KDCs running for a while, and
> configure the AFS servers to accept tickets for the old realm in
> addition (by putting the old realm in /usr/afs/etc/krb.conf) ?

Okay, well, I originally thought you were talking about using the same
KDCs and the same databases, but just changing which realm they were a
part of. I thought this didn't work, since the keys for the principals
are usually salted with something like 'princREALM' for the principal
'princ@REALM'. So if you change the realm without changing the database,
the key for a principal will be wrong (it will mismatch if you enter the
correct password).

But if you're creating a new database or using new KDCs, etc, that's not
a problem. And even converting the existing database in-place may be
possible; I don't really know. I may be incorrect on some of these
details anyway, this is all pure krb5 stuff and not much to do with AFS
:)

And yeah, it should work fine with AFS if you want to run with two
realms for a while for a transition period, like you described.

-- 
Andrew Deason
adeason@sinenomine.net