Migrating a Kerberos Realm

Ken Raeburn raeburn at MIT.EDU
Wed Nov 1 21:03:20 EST 2006


On Nov 1, 2006, at 20:55, Edward Murrell wrote:
> Given the size of the company (eight people, twice that many  
> machines),
> I won't be able to justify the work of writing code to reconstruct
> database records, and re-entering passwords isn't too big a deal.  
> So it
> looks like I'll be running two KDCs from one server. I'll probably
> switch over a backup server, rather than using the primary KDC, that's
> just asking for trouble.

Ah, I see.  From my initial reading of your description I thought it  
might've been larger...

> In order to avoid completely breaking everything, the secondary KDC  
> will
> have the default ports use the new realm and use weirdo ports  
> (default +
> 1) for the 'old' realm. This will be interesting.

That should work fine.  Though I think we might have a pair of  
services on neighboring port numbers, I'm not sure if they're ones  
you'd be running on a backup server.  I'd probably just go for default 
+10000 or something, myself....

You might want to take a peek at our test suite (src/tests/dejagnu),  
which fires up all the KDC programs on alternate ports, puts the  
proper specs in the config files, etc.  It's not terribly easy to  
read, though, unless you're familiar with Tcl already.

Ken



More information about the Kerberos mailing list