[OpenAFS] Can't get tokens since upgrading to 1.7.6 and Heimdal
Jeff Blaine
jblaine@kickflop.net
Fri, 16 Mar 2012 09:41:26 -0400
> This is why we strongly recommend that the afs/cell@REALM form of
> service tickets be used in all cases. afs/cell can be used with
> Kerberos referrals and when dns realm hierarchies must be searched.
A sanity check on this would be greatly appreciated.
I've shot myself in the foot before here (a few times).
So then to migrate from afs@REALM to afs/cell@REALM without
interruption:
1. Create afs/cell@REALM just as afs@REALM was
2. Extract keytab for afs/cell@RALM
3. Add key(s) for afs/cell@RALM to OpenAFS KeyFile on
"etc" upserver
4. After at least "max ticket lifetime", remove the old
key from KeyFile and also remove the principal from KDC.