[OpenAFS] Recommended procedure for rotating AFS service keys

Edgecombe, Jason jwedgeco@uncc.edu
Mon, 30 Nov 2015 13:42:28 -0500


--047d7bb03c1e530bcc0525c668ce
Content-Type: text/plain; charset=UTF-8

Hi everyone,

I need to rotate the password/keytab for our AFS service principal. We're
using OpenAFS 1.6.15 with rxkad.keytab (no KeyFile) and MIT Kerberos on the
KDC.

I'm looking for some guidance on how to do that. It looks like the 'ktadd'
command in kadmin doesn't allow you to keep old passwords. My plan is to
use ktutil to construct a new keytab, deploy the new keytab  (current and
future keys) to the file/cell servers, then change the password on the KDC.

When changing the password, do I need to use the '-keepold' option to cpw?
What other gotchas can I expect? Does this require a service outage or is
it seam-less for users?

Thanks,
Jason

---------------------------------------------------------------------------
Jason Edgecombe | Linux Administrator
UNC Charlotte | The William States Lee College of Engineering
9201 University City Blvd. | Charlotte, NC 28223-0001
Phone: 704-687-1943
jwedgeco@uncc.edu | http://engr.uncc.edu |  Facebook
---------------------------------------------------------------------------
If you are not the intended recipient of this transmission or a person
responsible for delivering it to the intended recipient, any disclosure,
copying, distribution, or other use of any of the information in this
transmission is strictly prohibited. If you have received this transmission
in error, please notify me immediately by reply e-mail or by telephone at
704-687-1943.  Thank you.

--047d7bb03c1e530bcc0525c668ce
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:arial,he=
lvetica,sans-serif">Hi everyone,<br><br></div><div class=3D"gmail_default" =
style=3D"font-family:arial,helvetica,sans-serif">I need to rotate the passw=
ord/keytab for our AFS service principal. We&#39;re using OpenAFS 1.6.15 wi=
th rxkad.keytab (no KeyFile) and MIT Kerberos on the KDC.<br><br></div><div=
 class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif">I=
&#39;m looking for some guidance on how to do that. It looks like the &#39;=
ktadd&#39; command in kadmin doesn&#39;t allow you to keep old passwords. M=
y plan is to use ktutil to construct a new keytab, deploy the new keytab=C2=
=A0 (current and future keys) to the file/cell servers, then change the pas=
sword on the KDC.<br><br></div><div class=3D"gmail_default" style=3D"font-f=
amily:arial,helvetica,sans-serif">When changing the password, do I need to =
use the &#39;-keepold&#39; option to cpw? What other gotchas can I expect? =
Does this require a service outage or is it seam-less for users?<br><br></d=
iv><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-s=
erif">Thanks,<br></div><div class=3D"gmail_default" style=3D"font-family:ar=
ial,helvetica,sans-serif">Jason<br></div><div class=3D"gmail_default" style=
=3D"font-family:arial,helvetica,sans-serif"><br clear=3D"all"></div><div><d=
iv class=3D"gmail_signature"><div dir=3D"ltr">-----------------------------=
----------------------------------------------<br>
Jason Edgecombe | Linux Administrator<br>
UNC Charlotte | The William States Lee College of Engineering<br>
9201 University City Blvd. | Charlotte, NC 28223-0001<br>
Phone: <a href=3D"tel:704-687-1943" value=3D"+17046871943" target=3D"_blank=
"><span>704</span>-<span>687</span>-<span>1943</span></a><br>
<a href=3D"mailto:jwedgeco@uncc.edu" target=3D"_blank">jwedgeco@uncc.edu</a=
> | <a href=3D"http://engr.uncc.edu" target=3D"_blank">http://engr.uncc.edu=
</a> | =C2=A0Facebook<br>
---------------------------------------------------------------------------=
<br>
If you are not the intended recipient of this transmission or a person=20
responsible for delivering it to the intended recipient, any disclosure,
 copying, distribution, or other use of any of the information in this=20
transmission is strictly prohibited. If you have received this=20
transmission in error, please notify me immediately by reply e-mail or=20
by telephone at<br>
<a href=3D"tel:704-687-1943" value=3D"+17046871943" target=3D"_blank"><span=
>704</span>-<span>687</span>-<span>1943</span></a>.=C2=A0 Thank you.</div><=
/div></div>
</div>

--047d7bb03c1e530bcc0525c668ce--