- Create the new admin principal:
kadmin
- Observe the expiry date(s) for their existing principal(s):
get USERNAME*
- Create the new principal with a random key so that the flags/attributes are properly set (solving "the Tuesday problem"):
add -r --use-defaults --expiration-time=YYYY-MM-DD --max-ticket-life="25 hours" --max-renewable-life=unlimited --pw-expiration-time=never --attributes="" USERNAME/admin
- Overwrite the random password with something known to the user:
passwd USERNAME/admin
exit
As root, on all KDCs, to allow access to kadmin:
Open /etc/heimdal-kdc/kadmind.acl
Add USERNAME/admin all,get-keys to the file
As admin, on any one machine with an AFS client, run:
pts cu USERNAME.admin
pts adduser USERNAME.admin system:administrators
As root, on all AFSDB servers (currently ns[123]) and fileservers (core-afs-0[12], storage-0[45]):
Edit /etc/openafs/server/UserList
Add the line USERNAME.admin
(Make sure you modify the file on all of them!)
As admin, find the user in /afs/club/service/etc/passwd.user, remove their line from it, and add it instead to both /afs/club/service/etc/passwd.admin and /afs/club/service/etc/passwd.core.
Also tell sbaugh to add people to the LDAP "wheel" group LDAP seems to be defunct now.