[OpenAFS] False replay error with 1.7 on Win 7 client (fwd)

Harald Barth haba@kth.se
Tue, 11 Dec 2012 23:07:07 +0100 (CET)


> Thanks. My next question is: if I do this, will it break existing
> sessions using tokens obtained via afs@?

If you merge a new secret into the AFS key file on the server with a
new (high, say 10001) kvno, it should not. I have not tested this
though.

> 1. Create afs/math.cornell.edu@MATH.CORNELL.EDU
> 2. Store the key in a keytab file
> 3. Use asetkey to add the key to the keyfile on each of the AFS
> servers

Hmmm.

Methinks between 1. and 3. tokens with the new key may fail.
What do the experts think about this:

1. Start empty heimdal KDC for MATH.CORNELL.EDU on laptop.
2. Create afs/math.cornell.edu@MATH.CORNELL.EDU on laptop with known 
   (long, random) password and high kvno.
3. Extract AFSKEY with ktutil from KDC on laptop.
4. Merge AFSKEY for afs/math.cornell.edu into testserver's KeyFile.
5. Try to access something on testserver from laptop with key
   material created with kimpersonate.
6. Merge AFSKEY into all production servers.
7. Create identical afs/math.cornell.edu@MATH.CORNELL.EDU on real KDC.

Warning: I have not tried this in practice, but I think in this manner
you can back out each step without problem.

Harald.