[OpenAFS] Help rekeying cell when both service principals (afs@REALM and afs/cell@REALM) exist
Peter Grandi
pg@afs.list.sabi.co.uk
Wed, 20 Nov 2013 22:29:12 +0000
> I've got clients going back as far as Transarc 3.6 -- don't ask
> .... there are clients that cannot be changed/rebooted/updated
> due to "extreme sensitivity to change."
> I had assumed that leaving the existing /usr/afs/etc/KeyFile
> alone and _not_ updating afs@REALM (with new encryption type for
> rekey effort) was the correct approach.
It depends on what you want to achieve, in particular why you are
rekeying your AFS principals and in which conditions.
The upgrade notes discuss the difference between 'rxkad-k5' and
'rxkad-kdf' upgrades, and that the latter is the only one that
permits getting rid of the single-DES enctypes for authentication.
Some random links that might be relevant:
http://lists.openafs.org/pipermail/openafs-info/2013-August/039809.html
http://lists.openafs.org/pipermail/openafs-info/2013-July/039719.html
http://www.openafs.org/pages/security/install-rxkad-k5-1.6.txt
http://www.openafs.org/pages/security/install-rxkad-k5-1.4.txt
http://openafs.org/pages/security/how-to-rekey.txt