* Jeff Blaine [2012-03-16 09:41:26 -0400]: > So then to migrate from afs@REALM to afs/cell@REALM without > interruption: > > 1. Create afs/cell@REALM just as afs@REALM was [taking care to avoid kvno collisions, as pointed out by Brandon Allbery] > 2. Extract keytab for afs/cell@REALM > 3. Add key(s) for afs/cell@REALM to OpenAFS KeyFile on > "etc" upserver > 4. After at least "max ticket lifetime", remove the old > key from KeyFile and also remove the principal from KDC.
I think you'll want to remove the old principal from the KDC as soon as the new principal and key have propagated to all servers (both KDC and AFS). *Then* wait one maximum ticket lifetime before removing the old key from the KeyFile. You shouldn't rely on clients to always try afs/cell@REALM before afs@REALM. Incidentally, I like to make sure all AFS servers have the new key before the KDCs start issuing tickets with it; for me that has meant 1'. Generate new key, add it to the KeyFile with some unused kvno, wait for it to propagate; 2'. Create afs/cell@REALM with that key and kvno in the KDC database; 3'. Remove afs@REALM from the KDC database but if your KDC lets you mark a new key "don't issue tickets yet" you could set that flag in your step 1 and clear it after your step 3 (+ KeyFile propagation). _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info