[OpenAFS] Re: Moving Magic Trio to another domain

Andrew Deason adeason@sinenomine.net
Mon, 23 Sep 2013 23:30:27 -0500 

On Mon, 23 Sep 2013 22:06:16 +0300 (EEST)
"Jukka Tuominen" <jukka.tuominen@finndesign.fi> wrote:

> I first tried to dpkg-reconfigure krb server packages so I could
> introduce the new domain, but it persisted to use the old domain
> without asking a thing, so I manually replaced all old domains in the
> .conf with the new one. I was then able to create the new realm.
> 
> How do I destroy the old realm data?

I assume you just delete the kdc files in /var/lib somewhere before
recreating the database. But I'm not looking up the details right now,
and I don't think I've ever done the procedure you are performing :)

> I was able to add the new cell princ key, but not the server princ
> key, as it returned

I'm not sure what exactly you're talking about here. There is only one
afs/* principal, the cell principal. The afs/cellname principal.

> "cannot specify keysaltlist when not changing key" when given the command
> 
> kadmin.local:  ktadd -k /tmp/afs.keytab -norandkey -e
> des-cbc-crc:normal afs/[server.name]. But that was my earlier attempt
> (see a few lines below what I did), so it may be different when I
> follow your suggestions more closely...

This is just what the error message says. Using -norandkey means you
extract existing keys into /tmp/afs.keytab, but using -e is for
specifying the enctypes for new keys to be written out. It doesn't make
sense to use both of them at the same time. You're either extracting
existing keys, or you're generating new keys and writing them to
/tmp/afs.keytab.

And yeah, you probably want to use non-DES for the new principal.

> I renamed the old /vicepa and was going to create a new one, but I
> quess I shouldn't have done that but used the existing one as is?

Correct. You don't need to recreate any data or databases or whatever
for afs, just update some config files.

> Luckily I can easily restore an earlier snapshot and try it the other
> way.

Unless you changed it, you can just move it back...

-- 
Andrew Deason
adeason@sinenomine.net