> Thanks. My next question is: if I do this, will it break existing > sessions using tokens obtained via afs@?
If you merge a new secret into the AFS key file on the server with a new (high, say 10001) kvno, it should not. I have not tested this though. > 1. Create afs/[email protected] > 2. Store the key in a keytab file > 3. Use asetkey to add the key to the keyfile on each of the AFS > servers Hmmm. Methinks between 1. and 3. tokens with the new key may fail. What do the experts think about this: 1. Start empty heimdal KDC for MATH.CORNELL.EDU on laptop. 2. Create afs/[email protected] on laptop with known (long, random) password and high kvno. 3. Extract AFSKEY with ktutil from KDC on laptop. 4. Merge AFSKEY for afs/math.cornell.edu into testserver's KeyFile. 5. Try to access something on testserver from laptop with key material created with kimpersonate. 6. Merge AFSKEY into all production servers. 7. Create identical afs/[email protected] on real KDC. Warning: I have not tried this in practice, but I think in this manner you can back out each step without problem. Harald. _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
