On Wed, Dec 12, 2012 at 8:45 AM, Steve Gaarder <gaard...@math.cornell.edu>wrote:
> On Tue, 11 Dec 2012, Harald Barth wrote: > >> 1. Create >> afs/math.cornell.edu@MATH.**CORNELL.EDU<math.cornell....@math.cornell.edu> >>> 2. Store the key in a keytab file >>> 3. Use asetkey to add the key to the keyfile on each of the AFS >>> servers >>> >> >> Methinks between 1. and 3. tokens with the new key may fail. >> > > Yes, I think you're right. THe time period is short enough, though, that > I think I can live with that. > If you script it (kadmin *is* scriptable in recent MIT, with some pain), the time between creating and adding to the first KeyFile can be milliseconds; script pushing that to the other servers and it's still likely to be a few seconds at most. If using Heimdal, you can use 'ktutil get' and do the first one in effectively a single operation (ktutil get -k AFS3KEYFILE:... afs/cell@REALM). Then Kerberos-authenticated parallel ssh to push to the other servers for minimum latency. :) -- brandon s allbery kf8nh sine nomine associates allber...@gmail.com ballb...@sinenomine.net unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net