[OpenAFS] Re: Moving Magic Trio to another domain

[Jukka Tuominen]

Hi Andrew and Russ,

> On Sun, 22 Sep 2013 11:09:38 +0300 (EEST)
> "Jukka Tuominen" <jukka.tuominen@finndesign.fi> wrote:
>
>> I'm facing a major challenge. I'm trying to move a populated
>> OpenAFS/Kerberos/OpenLDAP installation under another domain name. The
>> IP address remains the same. Hopefully there is a way save the users,
>> their passwords, accounts etc. The user accounts are on afs. The
>> system can go offline, if necessary.
>
> Do you mean you're using OpenLDAP as a kerberos backend, or just that
> you're storing passwd/group information in ldap?

A few years back, I followed these instructions to set up the trio:
 http://techpubs.spinlocksolutions.com/dklar/kerberos.html
 http://techpubs.spinlocksolutions.com/dklar/afs.html
 http://techpubs.spinlocksolutions.com/dklar/ldap.html
... so the ldap is used for serving metadata only. OpenAFS has been
updated to 1.6 since, and some configuration tweaks were needed to make
them all play nicely with the graphical log-in.

>
> For Kerberos, if you're using about MIT or Heimdal, this may be
> difficult, since usually the keys for user principals are all salted
> with the realm name. In the past I believe doing this was considered
> impossible to do with existing code, but maybe things have improved.
> This is more appropriate for the relevant Kerberos list, but someone may
> respond here further anyway.
>
> AD I assume has an easier time with this, since it stores passwords and
> not keys.

So, MIT kerberos is used, but generating new passwords is certainly doable
if the homedirs on afs can still be saved.

>
>> Any suggestions how to best do this?
>
> OpenAFS servers and such usually don't care much about the name of the
> cell. You can generally just treat this as adding a new realm for the
> cell (and later removing the old realm/cell, if you want to). This means
> you generate a new kerberos principal for afs/newcell@NEWREALM, add it
> to the KeyFile/rxkad.keytab, and add the new realm to openafs's
> krb.conf. If you ever use the '-cell' option in any scripts or anything,
> of course that would need to change. You may want to just take down all
> of the servers, update ThisCell and CellServDB, and restart, but doing
> that I don't think is strictly necessary.

So, IIUC the homedirs aren't actually moved, they only get new reference
points (or something)?

>
> For clients, just point them at the same servers with the new cell name.
> So, update their client CellServDBs or your AFSDB/SRV records, etc. You
> can point two different cell names at the same servers; clients don't
> ever send the cell name when talking to afs servers; it's just used for
> deciding which dbservers to contact and for acquiring/storing
> credentials.

I duplicated a client and updated all its server pointers, including ldap.
I suppose the new kerberos key needs to be added to the keytab, as well?

br, jukka


>
> --
> Andrew Deason
> adeason@sinenomine.net
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>