[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Upgrading Heimdal Operational Mode with Minimal Interruption.
- To: email@example.com
- Subject: Upgrading Heimdal Operational Mode with Minimal Interruption.
- From: "Henry B. Hotz" <firstname.lastname@example.org>
- Date: Wed, 7 Jul 2004 16:15:23 -0700
- In-Reply-To: <email@example.com>
- References: <firstname.lastname@example.org> <email@example.com> <97694520-C683-11D8-8C38-000A95CA746C@jpl.nasa.gov> <firstname.lastname@example.org> <161914A0-C955-11D8-8C38-000A95CA746C@jpl.nasa.gov> <email@example.com> <7AA6C268-CA2B-11D8-8C38-000A95CA746C@jpl.nasa.gov> <firstname.lastname@example.org>
- Sender: email@example.com
Assumption: Heimdal kdc's running on the same machines as the AFS
kaservers. (Not using the kaforwarder.)
Starting point: Heimdal is slave to kaserver. hprop from kaserver,
followed by hprop from Heimdal "master" to Heimdal slaves. Unencrypted
Ending point: kaserver turned off. Databases encrypted. Normal hprop
from master to slaves.
How to I get there?
I'm guessing it's something like:
1) Turn off hprop from kaserver (delete crontab entry).
2) Create master keyfile and pointer in krb5.conf.
3) Encrypt the database (hprop --encrypt | hpropd on master)
4) Start up kpasswd and add kadmind entry to /etc/inetd.conf on master.
5) Copy master keyfile and krb5.conf change to all slaves. Delete
slave DB's and restart slave kdc's.
6) Force an hprop to all slaves.
7) Re-add crontab entry to auto-hprop from master.
8) On each Kerberos server (master and slave) do
a) Change enable-kerberos4 and enable-kaserver from false to true in
b) bos stop kaserver
c) Restart kdc
More specifically, the question is about any interactions among the
master encryption step 3, restarting the slaves, and the hprop to the
slaves. What do I need to worry about and do I need to re-order
<<I'm just asking a question here. I'm only including enough of the
process to make the question make sense and this is not the upgrade
procedure that I couldn't release at that SLAC conference a bit ago.
If this discussion becomes the basis of someone else's writeup that
would be great. ;-) >>
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or firstname.lastname@example.org