On Tue, 11 Oct 2016, Andreas Ladanyi wrote: > Am 10.10.2016 um 17:24 schrieb Jeffrey Altman: > >>> And you need to install the keys from Cell B onto the fileserver. > >> The old afs server doesnt support rxkad, only single des. > >> The new afs server works with rxkad. > >> > >> Is this a problem ? > > I believe you meant to say the new afs server uses rxkad-k5+kdf. > Yes, thank you :-) > > > > If you have deployed non-DES keys to Cell B, then you cannot move the > > fileserver from Cell A to Cell B unless you first upgrade the fileserver > > to a version of OpenAFS that supports rxkad-k5+kdf. > Ok, so i have to upgrade the old afs server (now cell A and in future > cell B, realm A) to release minimum of 1.6.5 to use rxkad-k5+kd f > extension and copy the non-des keys from the new afs server (cell B, > realm B) to the old afs server ? > > Or, i have to switch the new afs server back to single des keys mode and > copy the key from the old afs server using single des to the new afs > server, but only for the vos move process ?
You will need to either upgrade the software on the old server or add back a DES key to cell B. It should be possible to renerate a random DES key that is not known to Kerberos, and install that key on all the cell B machines as well as the old server; that key would then be used for server-to-server communications from the old server to cell B servers but nothing else. (The other cell B servers would not be able to authenticate to the old server, but I believe they do not need to do so for the volume move operation you wish to undertake.) -Ben _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info