[OpenAFS] Re: Moving Magic Trio to another domain

Andrew Deason adeason@sinenomine.net
Tue, 24 Sep 2013 17:24:26 -0500


On Wed, 25 Sep 2013 01:07:26 +0300 (EEST)
"Jukka Tuominen" <jukka.tuominen@finndesign.fi> wrote:

> > So yes, the authentication setup is broken. Are you using the
> > non-DES setup, and do you remember exactly what you did?
> 
> addprinc -policy service -randkey -e aes256-cts-hmac-sha1-96:normal
> afs/[new.domain]

...is this the only thing that you ran?

> There is no file by name rxkad.keytab (tried to 'locate' it). Maybe it
> has a different name in Ubuntu 10.04 or may this be the error?

You need to extract the keys from the KDC to let the openafs servers
know about it, using 'ktadd' from kadmin. In the past with DES keys, you
used 'asetkey' to add the key to the KeyFile. With non-DES keys, you can
just use the extracted keytab directly, if you put it in
/usr/afs/etc/rxkad.keytab, or whatever the equivalent is on Ubuntu.

The generalized more detailed instructions for doing this are in
<http://openafs.org/pages/security/how-to-rekey.txt> (you want the
"Basic Procedure" for MIT Kerberos) and
<http://openafs.org/pages/security/install-rxkad-k5-1.6.txt>. However,
more briefly, all you should need to do is extract the afs/[new.domain]
principal using ktadd, move it to rxkad.keytab (in the same directory as
the KeyFile and the server-side CellServDB), and restart the server
processes.

Alternatively, you can keep using single DES for the moment so you're
not trying to do two different transitions at the same time. The non-DES
setup will only work if you are using 1.6.5, so if you are running
openafs older than that, you'll need to keep running with single DES for
the moment anyway.

-- 
Andrew Deason
adeason@sinenomine.net