From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from duke.felloff.net ([216.126.196.34]) by ur; Sat Jun 4 21:44:06 EDT 2016 Message-ID: <005ef1d6698a8423dc46792462d84760@felloff.net> Date: Sun, 5 Jun 2016 03:43:58 +0200 From: cinap_lenrek@felloff.net To: 9front@9front.org Subject: RE: [9front] The last CD distribution In-Reply-To: <201606050026.u550QI3a027713@mailmsa11.mozu.eo.k-opti.ad.jp> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: shared abstract SOAP service hypervisor-aware controller > If the process was expected one. > We have to reboot the auth/file/cpu server whenever we add > a user onto this system. > Am I wrong? > Kenji that depends. the authserver needs to be rebooted after you converted to aes format. or at least you'd have to kill the listener for /rc/bin/service.auth and restart it with a new instance of auth/keyfs in its namespace. you might need to reboot your cpu/file server, or install the new dp9ik key to its hostowner factotum manually by mounting /srv/factotum and write the ctl file. a reboot can do that given you have updated its nvram or installed the new key in secstore. if you already had a dp9ik key in its factotum and they match with what the authserver has in its keydb, then no reboot is neccesary. the most important thing is making sure the authserver's database has the keys for your cpu/file/auth server's hostowners. once you have that you can use auth/debug or try to authenticate as these users and see if everything works and make sure the clients and server have the right keys in ther factotums. if the authserver doesnt have keys for your server and terminal it cannot work. on the client side, you only get "key mismatch" error when your client key doesnt match with the authserver. the client can detect this as it will fail to decrypt the ticket from the authserver. if the server's key doesnt match the authservers you get protocol botch error. this is because the server will terminate the connection when it gets a ticket it cannot decrypt. -- cinap