On Sat, 28 Apr 2012 21:46:56 +0200 Stephan Wiesand <[email protected]> wrote:
> > I thought renaming a krb5 realm was difficult... isn't the realm > > name used as part of the salt? Or should I just assume you've > > already handled this? :) > > Please assume I'm dumb and missing the most obvious problems :-) [...] > Luckily, our users don't change passwords with kpasswd directly, but > through our central user registry, which then propagates the change to > several realms. Since our password policy enforces changing them every > six months, we just need to propagate to the new realm in addition for > that time, and can then swap it in. Host and service keys will have to > be reissued, but I think that's feasible. [...] > Maybe it would work if we kept the old KDCs running for a while, and > configure the AFS servers to accept tickets for the old realm in > addition (by putting the old realm in /usr/afs/etc/krb.conf) ? Okay, well, I originally thought you were talking about using the same KDCs and the same databases, but just changing which realm they were a part of. I thought this didn't work, since the keys for the principals are usually salted with something like 'princREALM' for the principal 'princ@REALM'. So if you change the realm without changing the database, the key for a principal will be wrong (it will mismatch if you enter the correct password). But if you're creating a new database or using new KDCs, etc, that's not a problem. And even converting the existing database in-place may be possible; I don't really know. I may be incorrect on some of these details anyway, this is all pure krb5 stuff and not much to do with AFS :) And yeah, it should work fine with AFS if you want to run with two realms for a while for a transition period, like you described. -- Andrew Deason [email protected] _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
