Migrating a Kerberos Realm
Ken Raeburn
raeburn at MIT.EDU
Wed Nov 1 21:03:20 EST 2006
On Nov 1, 2006, at 20:55, Edward Murrell wrote:
> Given the size of the company (eight people, twice that many
> machines),
> I won't be able to justify the work of writing code to reconstruct
> database records, and re-entering passwords isn't too big a deal.
> So it
> looks like I'll be running two KDCs from one server. I'll probably
> switch over a backup server, rather than using the primary KDC, that's
> just asking for trouble.
Ah, I see. From my initial reading of your description I thought it
might've been larger...
> In order to avoid completely breaking everything, the secondary KDC
> will
> have the default ports use the new realm and use weirdo ports
> (default +
> 1) for the 'old' realm. This will be interesting.
That should work fine. Though I think we might have a pair of
services on neighboring port numbers, I'm not sure if they're ones
you'd be running on a backup server. I'd probably just go for default
+10000 or something, myself....
You might want to take a peek at our test suite (src/tests/dejagnu),
which fires up all the KDC programs on alternate ports, puts the
proper specs in the config files, etc. It's not terribly easy to
read, though, unless you're familiar with Tcl already.
Ken
More information about the Kerberos
mailing list