Migrating a Kerberos Realm

Edward Murrell edward at dlconsulting.com
Wed Nov 1 20:55:40 EST 2006


Ken Raeburn wrote:
> You can, but you have to write the config files to specify different
> port numbers for them. (The code doesn't currently support using only
> some of a machine's IP addresses, if you wanted to put one on one
> address and one on another.) The code theoretically supports serving
> multiple realms out of one KDC process, too, but we don't test that
> functionality often. I'd be interested in any observations if you try it.
>
> You may also be able to convert entries from one realm into entries in
> the other realm. It'll take a bit of programming work, because our
> tools don't directly support it, but basically, you'd start with
> copying database records over. That would include the raw keys
> (encrypted in the database master key, which would have to be kept the
> same while this is done), but not the passwords. In programs like
> kinit, the keys are constructed from the password and a "salt" string,
> which by default is in turn constructed from the principal name,
> including the realm name. But the database can store a special salt
> string for a principal's key, so you'd modify some (most?) entries for
> users to have the salt string computed based on the old realm name.
>
> You'd still have to distribute new keytabs, update config files, etc.,
> for the transition, but it may keep you from needing to reset
> everyone's passwords, rekey machines, etc.
>
> Ken
Given the size of the company (eight people, twice that many machines),
I won't be able to justify the work of writing code to reconstruct
database records, and re-entering passwords isn't too big a deal. So it
looks like I'll be running two KDCs from one server. I'll probably
switch over a backup server, rather than using the primary KDC, that's
just asking for trouble.

In order to avoid completely breaking everything, the secondary KDC will
have the default ports use the new realm and use weirdo ports (default +
1) for the 'old' realm. This will be interesting.

Edward



More information about the Kerberos mailing list