On Dec 20, 2007 9:50 AM, John Tang Boyland <[EMAIL PROTECTED]> wrote:
> Jeffrey Altman wrote: > ] Simon Wilkinson wrote: > ] > So, in the > ] > interests of fixing this quickly, we're just going to add the > ] > afs/inf.ed.ac.uk principal, and get on with our lives. > ] > > ] > It's unclear to me what the 'correct' solution to actually fix aklog > is. > ] > ] It is my opinion that the "[EMAIL PROTECTED]" principal name is supported > for > ] backwards compatibility with prior practices and that "afs/[EMAIL > PROTECTED]" > ] is the current best practice. > > Can someone describe the steps necessary to effect this change? We > migrated our cell to kerberos V two years ago but still use the > [EMAIL PROTECTED] shorthand. I would expect that the change involves some > add_principal and ktadd commands and maybe asetkey and copying > super-secret files around, but I'm afraid if I tried to do it myself, > I would get a kvno problem and the fileservers would stop working > and/or it would be impossible to get AFS tokens. If it helps, > there's nothing wrong with leaving the old [EMAIL PROTECTED] principal alive > and working. > In heimdal, at least, assuming you don't have a salted password you can just "rename afs afs/CELL" Annoyingly, if you use heimdal's kdc as a kaserver emulator, it then breaks klog, because it doesn't know how to fall back if "afs@" doesn't exist.
