[OpenAFS] False replay error with 1.7 on Win 7 client (fwd)
Tue, 11 Dec 2012 23:07:07 +0100 (CET)
> Thanks. My next question is: if I do this, will it break existing
> sessions using tokens obtained via afs@?
If you merge a new secret into the AFS key file on the server with a
new (high, say 10001) kvno, it should not. I have not tested this
> 1. Create afs/math.cornell.edu@MATH.CORNELL.EDU
> 2. Store the key in a keytab file
> 3. Use asetkey to add the key to the keyfile on each of the AFS
Methinks between 1. and 3. tokens with the new key may fail.
What do the experts think about this:
1. Start empty heimdal KDC for MATH.CORNELL.EDU on laptop.
2. Create afs/math.cornell.edu@MATH.CORNELL.EDU on laptop with known
(long, random) password and high kvno.
3. Extract AFSKEY with ktutil from KDC on laptop.
4. Merge AFSKEY for afs/math.cornell.edu into testserver's KeyFile.
5. Try to access something on testserver from laptop with key
material created with kimpersonate.
6. Merge AFSKEY into all production servers.
7. Create identical afs/math.cornell.edu@MATH.CORNELL.EDU on real KDC.
Warning: I have not tried this in practice, but I think in this manner
you can back out each step without problem.