Hi, On Wed, Sep 21, 2011 at 18:23, Simon Wilkinson <s...@inf.ed.ac.uk> wrote: > > On 21 Sep 2011, at 23:08, Dan Scott <danieljamessc...@gmail.com> wrote: > >> I have to perform a fairly major upgrade on my Kerberos servers which >> authenticate our Openafs cell, which means running with 2 different >> kerberos servers, at least for a short while. > > Running with two different KDCs, both servicing the same realm yet containing > different key material is a very bizarre (some might say fundamentally > broken) configuration to have. > > Perhaps you could explain the upgrade that you are trying to perform?
Yep, fully understood. :) It's just while I perform the upgrade(s), so that I can avoid having to re-configure all the clients at once. I'm running Fedora's FreeIPA http://freeipa.org/ and am in the process of migrating from version 1.2 to 2.1, which requires a re-installation of the software and migration of the user information. I have setup a new server running FreeIPA 2 and have configured a client to authenticate against it. Now I would like to allow this client to access our OpenAFS cell, which is why, I believe, (this may be incorrect) I need to add a principal from the new Kerberos server to the OpenAFS KeyFile. Then I can begin to migrate other clients over to the new server, and eventually remove the old server (re-install the new software). There may be a much easier way of accomplishing this, such as importing the keytab from the current server into the new one? (Just thought of that) :) Thanks, Dan _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
