Upgrading Heimdal Operational Mode with Minimal Interruption.

["Henry B. Hotz" <hotz@jpl.nasa.gov>]

Assumption:  Heimdal kdc's running on the same machines as the AFS  
kaservers.  (Not using the kaforwarder.)

Starting point:  Heimdal is slave to kaserver.  hprop from kaserver,  
followed by hprop from Heimdal "master" to Heimdal slaves.  Unencrypted  
databases.

Ending point:  kaserver turned off.  Databases encrypted.  Normal hprop  
from master to slaves.

How to I get there?

I'm guessing it's something like:

1) Turn off hprop from kaserver (delete crontab entry).
2) Create master keyfile and pointer in krb5.conf.
3) Encrypt the database (hprop --encrypt | hpropd on master)
4) Start up kpasswd and add kadmind entry to /etc/inetd.conf on master.
5) Copy master keyfile and krb5.conf change to all slaves.  Delete  
slave DB's and restart slave kdc's.
6) Force an hprop to all slaves.
7) Re-add crontab entry to auto-hprop from master.
8) On each Kerberos server (master and slave) do
   a) Change enable-kerberos4 and enable-kaserver from false to true in  
kdc.conf
   b) bos stop kaserver
   c) Restart kdc

More specifically, the question is about any interactions among the  
master encryption step 3, restarting the slaves, and the hprop to the  
slaves.  What do I need to worry about and do I need to re-order  
anything?

<<I'm just asking a question here.  I'm only including enough of the  
process to make the question make sense and this is not the upgrade  
procedure that I couldn't release at that SLAC conference a bit ago.   
If this discussion becomes the basis of someone else's writeup that  
would be great. ;-) >>
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu