On Apr 28, 2012, at 00:08 , Andrew Deason wrote:
> On Fri, 27 Apr 2012 19:48:19 +0200
> Stephan Wiesand <[email protected]> wrote:
>
>> supposed one has to rename an AFS cell (and the krb5 realm responsible
>> for authentication), what would be the steps to take? Once the KDCs
>> are fully functional for the new realm, is the following sufficient?
>
> I thought renaming a krb5 realm was difficult... isn't the realm name
> used as part of the salt? Or should I just assume you've already handled
> this? :)
Please assume I'm dumb and missing the most obvious problems :-)
> Renaming the realm isn't required, but I can certainly see why
> you'd want to.
Luckily, our users don't change passwords with kpasswd directly, but through
our central user registry, which then propagates the change to several realms.
Since our password policy enforces changing them every six months, we just need
to propagate to the new realm in addition for that time, and can then swap it
in. Host and service keys will have to be reissued, but I think that's feasible.
>> 1) shut down all AFS clients, Fileservers, DB servers
>> 2) replace all ThisCell & CellServDB files, and the KeyFiles
>> 3) start the servers
>> 4) start the clients
>
> Whether or not you even need to restart the clients I think depends on
> how you're using them wrt dynroot. But yeah, I think that's sufficient.
> We don't really store the cell name in any databases or anything if
> you're not using kaserver, so a cell doesn't tend to really be aware of
> what it's own name is, aside from the entries in CellServDB/ThisCell.
Thanks for the good news.
> Technically I think you may be able to just change client configuration,
> with the servers still thinking the cell name is the old one, and it may
> at least mostly work. But that's obviously not the recommended way.
I'm most concerned about the clients we don't control. As a quick test, I used
"fs newcell"to teach a client about a cell with the new name but the old db
servers. Unauthenticated access seems to work just fine, but of course you
can't get a token.
Maybe it would work if we kept the old KDCs running for a while, and configure
the AFS servers to accept tickets for the old realm in addition (by putting the
old realm in /usr/afs/etc/krb.conf) ?
> I'm sure you're aware that this isn't a very common operation, though,
Painfully aware, yes...
> so this process isn't well-tested. I think I've only done something like
> this once or twice, but I don't remember any special steps required.
Thanks a lot for your response,
Stephan
--
Stephan Wiesand
DESY -DV-
Platanenenallee 6
15738 Zeuthen, Germany
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
