On 22 Sep 2011, at 08:31, Dan Scott <danieljamessc...@gmail.com> wrote: > > No, I haven't, because two developers confirmed that I'd need to migrate: > > https://www.redhat.com/archives/freeipa-users/2011-May/msg00250.html > https://www.redhat.com/archives/freeipa-users/2011-May/msg00251.html
If the contents of that first message is correct (that, in order to upgrade, you have to regenerate the key tabs for every Kerberised service) then FreeIPA has a fundamentally broken upgrade path. I would be really nervous about deploying something where so little consideration is given to upgrades. The underlying Kerberos service has no problem with providing an upgrade path - it beggars belief that FreeIPA doesn't have one. The problem is the one you noted earlier. If you have two KDCs, both of which claim to be the same realm, but which contain different key material, there's absolutely no way for a service to tell which KDC issued a particular ticket, and so which key should be used to decrypt it. This means that the _only_ way to upgrade such a system is to shut everything down, remove all of the old key tabs, and create new ones for every service. You'll have a complete service outage for the period of time it takes you to do this work. It's worth noting that this isn't a problem of AFS's making - the issue will affect every Kerberised service that you run. > >> Anyway, if you really must switch realms you should at least do it the >> proper way: pick some other name for the new realm, and use cross-realm >> trust as needed during the migration. > > That's just it, the migration doesn't necessarily require a realm > switch. Maybe I do need to though, to accomplish what I want. No, the fact that FreeIPA doesn't support importing the old KDC database into the newer KDC means that the only way to achieve what you are trying to do without significant downtime is by changing your realm name. Of course, this means tha anywhere that the realm is used in access control rules will have to be updated too. I think it's probably worth pushing the FreeIPA developers about an upgrade path for Kerberos key material. If they are unable, or unwilling, to provide one, then I would give serious consideration as to whether it is an appropriate piece of software to have at the heart of your organisations infrastructure. If an upgrade from version 1 to 2 requires a flag day, then what about from version 2 to 3, or from 3 to 4? S._______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info