On 2009 Apr 7, at 2:01, TIARA System Man wrote:
i only had a...@realm. should i create another afs/c...@realm?
It's not necessary. Current practice is to use afs/c...@realm but you don't have to change unless you're planning to have the same Kerberos realm host multiple cells at some point.
if i do following commands, will it mess up afs server?ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab.afs afs/ tiara.sinica.edu.twasetkey add X /etc/krb5.keytab.afs afs/tiara.sinica.edu.tw
It should be fine as long as X != 3 (and of course X must match the kvno of the new principal, which should be 1 at creation).
what are the benefits to have afs/c...@realm? please tell me. thank you. :)
The only real benefits are: (1) aklog is very slightly faster since it checks afs/c...@realm first; (2) you can host multiple AFS cells from the same Kerberos installation.Note that even if you decide to do so later but still have the simple a...@realm, you could still create an afs/newc...@realm and simply not copy the a...@realm key into the new cell's KeyFile. It's only people who might get confused, not software.
-- brandon s. allbery [solaris,freebsd,perl,pugs,haskell] [email protected] system administrator [openafs,heimdal,too many hats] [email protected] electrical and computer engineering, carnegie mellon university KF8NH
PGP.sig
Description: This is a digitally signed message part
