[OpenAFS] False replay error with 1.7 on Win 7 client (fwd)
Harald Barth
haba@kth.se
Tue, 11 Dec 2012 23:07:07 +0100 (CET)
> Thanks. My next question is: if I do this, will it break existing
> sessions using tokens obtained via afs@?
If you merge a new secret into the AFS key file on the server with a
new (high, say 10001) kvno, it should not. I have not tested this
though.
> 1. Create afs/math.cornell.edu@MATH.CORNELL.EDU
> 2. Store the key in a keytab file
> 3. Use asetkey to add the key to the keyfile on each of the AFS
> servers
Hmmm.
Methinks between 1. and 3. tokens with the new key may fail.
What do the experts think about this:
1. Start empty heimdal KDC for MATH.CORNELL.EDU on laptop.
2. Create afs/math.cornell.edu@MATH.CORNELL.EDU on laptop with known
(long, random) password and high kvno.
3. Extract AFSKEY with ktutil from KDC on laptop.
4. Merge AFSKEY for afs/math.cornell.edu into testserver's KeyFile.
5. Try to access something on testserver from laptop with key
material created with kimpersonate.
6. Merge AFSKEY into all production servers.
7. Create identical afs/math.cornell.edu@MATH.CORNELL.EDU on real KDC.
Warning: I have not tried this in practice, but I think in this manner
you can back out each step without problem.
Harald.