On 9/21/2011 5:08 PM, Dan Scott wrote:
Hi, I have to perform a fairly major upgrade on my Kerberos servers which authenticate our Openafs cell, which means running with 2 different kerberos servers, at least for a short while. I'd like to create a keytab on the new server and add it to the KeyFile of our existing servers. Then when a user tries to access AFS, they can be authenticated against whichever Kerberos server they like. The problem is that both servers are authoritative for the same realm, so I don't think there's any way for OpenAFS to know which server the user's Kerberos ticket was obtained from.
As Simon pointed out, this very bizarre and could effect all of your services not just Kerberos. I am surprised RedHat would not have a transition plan. But a quick glance of the notes it looks like they are saying that there is no upgrade on a single machine, but you could build new KDCs, freeze password changes and other datebase changes then migrate the data which should include all the keys from old to new. At his point both sets of KDCs should be issuing tickets using the same keys. You could run like this, as long as no database updates are needed, or you could swap host names and IP numbers of the old and new KDCs. That said, there is one trick that can be used with AFS at least. This assumes that both sets of KDCs represent the same set of users. Since the AFS servers are still using DES keys stored in the KeyFile, one can add multiple keys each with a different KVNO. The new KDCs could issue new keys with different KVNOs, from the old server The AFS server does not care as they can decrypt the tokens form either. (This was the trick used by the old gssklog and gsiklog.) This quickly gets complicated if a user gets a krbtgt from one set of KDCs, but tries to use it against the other set. Unless the keys are the same or both sets of KDCs know about the others keys (with different KVNOs, (think of this as cross realm with your evil twin)) this wont work. Servers would also need two sets of keys, with the old KDCs using one range of KVNO and the new KDCS using a different range of KVNOs.
Please can you tell me if it's possible? And if so, how? Thanks, Dan Scott _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
-- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
