[OpenAFS] Can't get tokens since upgrading to 1.7.6 and Heimdal
Sergio Gelato
Sergio.Gelato@astro.su.se
Fri, 16 Mar 2012 22:58:36 +0100
* Jeff Blaine [2012-03-16 09:41:26 -0400]:
> So then to migrate from afs@REALM to afs/cell@REALM without
> interruption:
>
> 1. Create afs/cell@REALM just as afs@REALM was
[taking care to avoid kvno collisions, as pointed out by Brandon Allbery]
> 2. Extract keytab for afs/cell@REALM
> 3. Add key(s) for afs/cell@REALM to OpenAFS KeyFile on
> "etc" upserver
> 4. After at least "max ticket lifetime", remove the old
> key from KeyFile and also remove the principal from KDC.
I think you'll want to remove the old principal from the KDC as soon as
the new principal and key have propagated to all servers (both KDC and AFS).
*Then* wait one maximum ticket lifetime before removing the old key from
the KeyFile. You shouldn't rely on clients to always try afs/cell@REALM
before afs@REALM.
Incidentally, I like to make sure all AFS servers have the new key before
the KDCs start issuing tickets with it; for me that has meant
1'. Generate new key, add it to the KeyFile with some unused kvno,
wait for it to propagate;
2'. Create afs/cell@REALM with that key and kvno in the KDC database;
3'. Remove afs@REALM from the KDC database
but if your KDC lets you mark a new key "don't issue tickets yet" you could
set that flag in your step 1 and clear it after your step 3 (+ KeyFile
propagation).