[OpenAFS] Done the rekeying of my cell, but unpatched clients still works

Jose Manuel dos Santos Calhariz jose.calhariz@netvisao.pt
Wed, 08 Jan 2014 18:11:08 +0000

I have a cell of OpenAFS and a kerberos5 realm for tests.  I have done 
the re-keying
of afs/celname@REALMNAME as explained in


But I have made some mistake somewhere, because when I test with 
unpatched clients
1.4.x they still authenticate.

My setup is:

   My server is a Debian wheezy running kerberos 1.10.1+dfsg-5+deb7u1 
and openafs

   On the server ls -alF /etc/openafs/server:

-rw-r--r-- 1 root root   56 Jan  8 11:37 CellServDB
-rw-r--r-- 1 root root   50 Jan  3 19:48 CellServDB.old
-rw------- 1 root root  100 Jan  7 17:22 KeyFile.old
-rw------- 1 root root  314 Jan  7 19:06 rxkad.keytab
-rw-r--r-- 1 root root   15 Jan  6 19:46 ThisCell
-rw-r--r-- 1 root root   10 Jan  3 19:52 UserList

ktutil:  rkt /etc/openafs/server/rxkad.keytab
ktutil:  list -e
slot KVNO Principal
---- ---- 
    1    3        afs/cellname@REALMNAME (aes256-cts-hmac-sha1-96)
    2    3        afs/cellname@REALMNAME (aes128-cts-hmac-sha1-96)
    3    3        afs/cellname@REALMNAME (des3-cbc-sha1)
    4    3        afs/cellname@REALMNAME (arcfour-hmac)

   I have done "bos restart -all localhost" and "reboot" to the server.

   The client is running a mix of software:
       openafs-client         1.4.2-6etch3
       openafs-krb5          1.4.2-6etch3
       openafs-modules-2.6.18-6-686      1.4.7.dfsg1-6+lenny1+4

         Jose Calhariz