The old Transarc documents recommend changing your server encryption
key every month. We've done it about 9 times in 16 years, and did
it last before we migrated to Kerberos V. The explanation of how
to change the encryption key assumes that you are using kaserver
and kas, so it's out of date
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I am looking for an expert in AFS who does consulting in the NY city area.
Please contact me ASAP.
- --
David Sonenberg
Director, Information Technology
Stroz Friedberg, LLC
15 Maiden Lane
Suite 1208
New York, N10038
Tel 212.981.6527
Fax
in addition to the well known rlidwka, there are also some extra,
reserved acl bits: ABCDEFGH (PRSFS_USR0-7)
AFS currently uses none of these. I know of a site which used G for a
while to encode that group rather than owner mode bits would apply to
people with that bit applied to them. Is
A V Le Blanc [EMAIL PROTECTED] writes:
On a test cell, I've been able to change the encryption key as follows:
I change the afs password using kadmin and export it to the KeyFile. I
then have to kill the bos process and all server processes on all
servers, since my old admin tokens don't
Wouldn't a better key-update-transition plan be:
* create a new key
* stash it in the KeyFile in the next kvno slot
* wait until the servers pick it up
* update the afs key on the kdc to match the new value (make sure it
matches the kvno that you used before)
* profit.
From what I
Robert Banz wrote:
Wouldn't a better key-update-transition plan be:
* create a new key
* stash it in the KeyFile in the next kvno slot
* wait until the servers pick it up
* update the afs key on the kdc to match the new value (make sure it
matches the kvno that you used before)
*
What is required is functionality in the KDC that says generate a new
key for service X but don't use it yet.
Then you could distribute the key to your servers and after they were
all updated, you could activate the use of the new key.
That functionality could be simulated with a blah script
I've been using the stable openafs-1.4.2 for some time and have not
had so much difficulty compiling it. For about 2 months, I've been
using a patch that stops openafs from looking for config.h in the
linux source, and that was the only change needed.
Today, security updates for fc5 AND fc6
* Steve Simmons [2007-03-15 13:03:44 -0400]:
On Mar 15, 2007, at 9:03 AM, Jose Angel Herrero wrote:
We have an afs cell (atc.unican.es) installed in a HP Proliand
DL380 G3 and Linux (Debian 3.0 r2) server. The afs partitions
(vicepxx) for this cell are located in a HP MSA20 (SATA disk
Hello everybody,
We have an afs cell (atc.unican.es) installed in a HP Proliand DL380 G3
and Linux (Debian 3.0 r2) server. The afs partitions (vicepxx) for this
cell are located in a HP MSA20 (SATA disk drive storage enclosure with
12 SATA disks with Ultra320 SCSI host connectivity and 6
Robert Banz [EMAIL PROTECTED] writes:
What is required is functionality in the KDC that says generate a new
key for service X but don't use it yet.
Then you could distribute the key to your servers and after they were
all updated, you could activate the use of the new key.
That
I don't suppose you tried 1.4.3rc3?
On Fri, 16 Mar 2007, Paul Johnson wrote:
I've been using the stable openafs-1.4.2 for some time and have not
had so much difficulty compiling it. For about 2 months, I've been
using a patch that stops openafs from looking for config.h in the
linux source,
Is there any option for the OpenAFS client that will cause it to
refuse to associate tokens with a userid (rather than a PAG)?
This is the default behavior when aklog is invoked outside of a PAG --
any tokens get associated with all processes under that userid which
do not have a PAG. I'm
In the website http://www.openafs.org, I do not find any package 1.4.3rc3.
Where is it?? In there, it looks like 1.4.2 is the end of the line.
I did find a development version 1.5.16 and it does compile and install.
However, when I try to start the openafs-client service, I get the
incredibly
Paul Johnson [EMAIL PROTECTED] writes:
Message-ID: [EMAIL PROTECTED]
From: Paul Johnson [EMAIL PROTECTED]
To: openafs-info@openafs.org
In-Reply-To: [EMAIL PROTECTED]
Subject: Re: [OpenAFS] Trouble compiling openafs with new FC5 and FC6 kernels
Date: Fri, 16 Mar 2007 22:55:40 -0500
In the
On Fri, 16 Mar 2007, Paul Johnson wrote:
In the website http://www.openafs.org, I do not find any package 1.4.3rc3.
Where is it?? In there, it looks like 1.4.2 is the end of the line.
I go to www.openafs.org
I see
2-Mar-2007 - OpenAFS 1.4.3 release candidate 3 available
OpenAFS
On Sat, 17 Mar 2007, Marcus Watts wrote:
Folks that have an opinion on how this should be organized should
feel free to speak up. Documentation and web pages don't get better
if people don't complain or better yet, offer improvements.
We actually are working on a whole new format for the web
17 matches
Mail list logo