I made the change and everything seems to be working fine. Thanks for all
your advice and enjoy the holidays!
Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
gaar...@math.cornell.edu
On Wed, 12 Dec 2012, Brandon Allbery wrote:
On Wed, Dec 12, 2012 at 8:45 AM, Steve Gaarder <gaard...@math.cornell.edu>
wrote:
On Tue, 11 Dec 2012, Harald Barth wrote:
1. Create afs/math.cornell....@math.cornell.edu
2. Store the key in a keytab file
3. Use asetkey to add the key to the keyfile on
each of the AFS
servers
Methinks between 1. and 3. tokens with the new key may
fail.
Yes, I think you're right. THe time period is short enough, though,
that I think I can live with that.
If you script it (kadmin *is* scriptable in recent MIT, with some pain), the
time between creating and adding to the first KeyFile can be milliseconds;
script pushing that to the other servers and it's still likely to be a few
seconds at most. If using Heimdal, you can use 'ktutil get' and do the first
one in effectively a single operation (ktutil get -k AFS3KEYFILE:...
afs/cell@REALM). Then Kerberos-authenticated parallel ssh to push to the
other servers for minimum latency. :)
--
brandon s allbery kf8nh sine nomine associates
allber...@gmail.com ballb...@sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net
