[OpenAFS] False replay error with 1.7 on Win 7 client (fwd)
Brandon Allbery
allbery.b@gmail.com
Wed, 12 Dec 2012 14:53:48 -0500
--00235446fe5c2e84c604d0ad2838
Content-Type: text/plain; charset=UTF-8
On Wed, Dec 12, 2012 at 8:45 AM, Steve Gaarder <gaarder1@math.cornell.edu>wrote:
> On Tue, 11 Dec 2012, Harald Barth wrote:
>
>> 1. Create afs/math.cornell.edu@MATH.**CORNELL.EDU<math.cornell.edu@MATH.CORNELL.EDU>
>>> 2. Store the key in a keytab file
>>> 3. Use asetkey to add the key to the keyfile on each of the AFS
>>> servers
>>>
>>
>> Methinks between 1. and 3. tokens with the new key may fail.
>>
>
> Yes, I think you're right. THe time period is short enough, though, that
> I think I can live with that.
>
If you script it (kadmin *is* scriptable in recent MIT, with some pain),
the time between creating and adding to the first KeyFile can be
milliseconds; script pushing that to the other servers and it's still
likely to be a few seconds at most. If using Heimdal, you can use 'ktutil
get' and do the first one in effectively a single operation (ktutil get -k
AFS3KEYFILE:... afs/cell@REALM). Then Kerberos-authenticated parallel ssh
to push to the other servers for minimum latency. :)
--
brandon s allbery kf8nh sine nomine associates
allbery.b@gmail.com ballbery@sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net
--00235446fe5c2e84c604d0ad2838
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">On Wed, Dec 12, 2012 at 8:45 AM, Steve Gaarder <span dir=
=3D"ltr"><<a href=3D"mailto:gaarder1@math.cornell.edu" target=3D"_blank"=
>gaarder1@math.cornell.edu</a>></span> wrote:<br><div class=3D"gmail_quo=
te"><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-lef=
t:1px #ccc solid;padding-left:1ex">
<div class=3D"im">On Tue, 11 Dec 2012, Harald Barth wrote:</div><div class=
=3D"im"><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border=
-left:1px #ccc solid;padding-left:1ex"><blockquote class=3D"gmail_quote" st=
yle=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
1. Create afs/<a href=3D"mailto:math.cornell.edu@MATH.CORNELL.EDU" target=
=3D"_blank">math.cornell.edu@MATH.<u></u>CORNELL.EDU</a><br>
2. Store the key in a keytab file<br>
3. Use asetkey to add the key to the keyfile on each of the AFS<br>
servers<br>
</blockquote>
<br>Methinks between 1. and 3. tokens with the new key may fail.<br>
</blockquote>
<br></div>
Yes, I think you're right. =C2=A0THe time period is short enough, thoug=
h, that I think I can live with that.<br></blockquote><div><br></div><div>I=
f you script it (kadmin *is* scriptable in recent MIT, with some pain), the=
time between creating and adding to the first KeyFile can be milliseconds;=
script pushing that to the other servers and it's still likely to be a=
few seconds at most. =C2=A0If using Heimdal, you can use 'ktutil get&#=
39; and do the first one in effectively a single operation (ktutil get -k A=
FS3KEYFILE:... afs/cell@REALM). =C2=A0Then Kerberos-authenticated parallel =
ssh to push to the other servers for minimum latency. =C2=A0:)</div>
</div><div><br></div>-- <br><div dir=3D"ltr"><div>brandon s allbery kf8nh =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 sine nomine associates</div><div><a href=3D=
"mailto:allbery.b@gmail.com" target=3D"_blank">allbery.b@gmail.com</a> =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"mailto:ballbery@sinenom=
ine.net" target=3D"_blank">ballbery@sinenomine.net</a></div>
<div>unix, openafs, kerberos, infrastructure, xmonad =C2=A0 =C2=A0 =C2=A0 =
=C2=A0<a href=3D"http://sinenomine.net" target=3D"_blank">http://sinenomine=
.net</a></div></div><br>
</div>
--00235446fe5c2e84c604d0ad2838--