Migrating a Kerberos Realm
Edward Murrell
edward at dlconsulting.com
Wed Nov 1 17:38:05 EST 2006
I'd like to know if anyone has any practical experience in migrating a
Kerberos realm.
Back in the day, when I was learning about Kerberos, I set up the local
realm with the name 'OFFICE'. Since we had a local domain of the same
name, this was fine, and I propergated information via DNS and
everything was happy.
Since then, we've expanded somewhat, and we now have a bunch of off-site
servers. Currently, I've got a bunch of servers in the US, and some in
NZ, as well as our local office servers, and workstations. It turns out
that it is possible to make this work, but it requires bigger config
file than, and updating the files every time something changes.
[libdefaults]
default_realm = OFFICE
The plan is to move the whole shebang to a COMANY.COM realm. However,
I'd like to do this while causing as little downtime and disruption as
possible. I had originally planned to run two realms in parallel and
tell them to trust each other. Unfortunately, MIT Kerberos doesn't
appear to allow you to run two KDC's on the same server.
Anyone have ideas?
Regards
Edward Murrell
edward at dlconsulting.com
More information about the Kerberos
mailing list