[OpenAFS] Help rekeying cell when both service principals (afs@REALM and afs/cell@REALM) exist

Jeffrey Hutzelman jhutz@cmu.edu
Wed, 20 Nov 2013 16:50:33 -0500


On Mon, 2013-11-11 at 08:42 -0700, Kim Kimball wrote:

> I've got clients going back as far as Transarc 3.6 -- don't ask ....  
> there are clients that cannot be changed/rebooted/updated due to 
> "extreme sensitivity to change."

What software are these ancient clients using to get tokens?  klog?
Something else?

In general, if they are using anything based on krb5 and/or krb524, you
can use a stronger service key enctype, no matter how old they are.  You
will need to arrange for your KDC to be willing to use DES _session_
keys, because these older clients can't handle anything else.

If they are using something based on krb4 or kaserver, then you have no
choice but to retain the DES service key.  In this case, IMHO you are
best off not changing any keys; as long as one AFS service principal has
an active DES key, you gain no security benefit by upgrading the other.


If both principals are in use, then they must have different kvnos.  The
KeyFile format is not capable of storing multiple keys with the same
kvno.


I see no benefit to you in using the afs/cellname form, if you still
have clients that will work only with the old form.  There are as yet no
clients that do not support the "old-style" principal name.  We have
continued to use that name for exclusively here, as we've done for as
long as AFS has used Kerberos-based authentication.


-- Jeff