copy users from one realm to another

[Paul B. Henson]

> From: Greg Hudson
> Sent: Tuesday, June 24, 2014 7:47 PM
>
> Sorry to be unclear; I was referring to the kadmin renprinc command.  In
> addition to renaming the principal, it adds an explicit salt.

Ah, I see; there is no "set salt" command per se, but it's a side effect of
the rename command.

So, when a principal is renamed, an explicit salt is configured specifying
what the default salt would have been before the rename. When the password
for that principal is later changed, does it revert back to the default
salt?

So to copy realm A to create a new realm B with the existing user base, able
to use existing passwords, it seems one would:

* bring up a new server for realm A
* isolate it so it no longer replicates with the existing realm A servers
* rename all of the principals to  <name>-newrealm, then back to <name> to
store the salt
* shutdown the new server, dump the LDAP backend, replace A with B, load the
new LDIF
* update kadmin/kdc configuration
* start new server
* fiddle with keytabs etc
* success?

> As it turns out, I know someone who had to rename a realm a few weeks
> ago, and after resolving the above issues reported success.

Sweet. I'll have to test this out and see how it goes.

> In case it wasn't obvious, I should also have mentioned that any
> references to principal names in ACL files (or the equivalent) must be
> updated, and all server keytabs must be re-provisioned.  This is
> probably the hardest part in a large-scale deployment.  (In some cases
> server keytabs might continue to work, but I wouldn't count on it.)

In my case, as I'm not actually renaming an existing realm but trying to
stand up a new one alongside of the existing one pre-populated with the
existing principals, it should be a lot simpler as there will be no flag day
where everything will have to transition from realm A to realm B, we will
have about a year to migrate things in a hopefully controlled fashion :).

Thanks for the help.