I’m working on finally upgrading our AFS cell from DES to stronger encryption keys, and I was able to successfully follow the instructions on the OpenAFS web page to get a new keytab issued for my test cell with stronger encryption.
However, after installing the new keytab file on my test AFS servers and restarting the processes, I found that tokens that had been issued with my previous key were no longer working - I had to do a kinit with the updated Kerberos principal and run aklog again to get a working token. My goal would be to make sure that existing tokens didn’t stop working when I upgrade my production cell, so I’m wondering if I did something wrong or accidentally disabled something too early. Here are the steps I ran: 1.) Have new keytab created by our AD admin that has all of the newer encryption types, as well as the older DES encryption, with a new KVNO. 2.) Removed the DES keys from the keytab file. 3.) Deploy the new keytab file to all of my servers as rxkad.keytab. The old KeyFile was still in place. 4.) Restarted the AFS servers. 5.) Ran kinit, and verified that the afs/<cell>@<REALM> key was still listed as des-cbc-crc. 6.) Had the AD admin unset the ‘DES only’ box on the account tied to the afs/<cell>@<REALM> identity. 7.) Restarted the AFS servers again. 8.) Ran kinit again, and verified that the afs/<cell>@<REAM> key is now listed as one of the higher encryption types. 9.) Ran aklog, verified that I could write to AFS. 10.) Tried to write with session that had an older token, and got permission denied. After re-kinit-ing, it worked as expected. I am planning to do the cell upgrade on a weekend to minimize the potential disruption, but I would still like to have my old tokens work if possible. Did I do something wrong or restart any servers too early? Brian -- Brian Sebby ([email protected]) | Information Technology Infrastructure Phone: +1 630.252.9935 | Business Information Services Cell: +1 630.921.4305 | Argonne National Laboratory
