Migrating a Kerberos Realm

Edward Murrell edward at dlconsulting.com
Tue Nov 21 17:09:19 EST 2006


Things aren't working to well.

So possibly against my better judgement, I now have two realms traipsing
around the network.

For those who deleted the conversation, I have a non-canonical
domain/realm (.office) and it would be really good to have the overseas
servers using Kerberos. This is somewhat difficult with a domain that
doesn't work outside the office.

Anyhoo, the decision has been made to create a COMPANY.COM realm and do
cross realm authentication to ease the transition between the two realms.

The COMPANY.COM realm works great. According to the documentation here;
http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4.4/doc/krb5-admin/Cross-realm-Authentication.html
I've run these two commands (on both servers);

addprinc -requires_preauth krbtgt/OFFICE at COMPANY.COM
addprinc -requires_preauth krbtgt/COMPANY.COM at OFFICE


And er... it doesn't work. Did I miss something?

Kerberos kdc (and clients) are 1.4.3 running on Ubuntu Linux (Dapper).

Edward

Ken Raeburn wrote:
> On Nov 1, 2006, at 20:55, Edward Murrell wrote:
>> Given the size of the company (eight people, twice that many machines),
>> I won't be able to justify the work of writing code to reconstruct
>> database records, and re-entering passwords isn't too big a deal. So it
>> looks like I'll be running two KDCs from one server. I'll probably
>> switch over a backup server, rather than using the primary KDC, that's
>> just asking for trouble.
>
> Ah, I see.  From my initial reading of your description I thought it
> might've been larger...
>
>> In order to avoid completely breaking everything, the secondary KDC will
>> have the default ports use the new realm and use weirdo ports (default +
>> 1) for the 'old' realm. This will be interesting.
>
> That should work fine.  Though I think we might have a pair of
> services on neighboring port numbers, I'm not sure if they're ones
> you'd be running on a backup server.  I'd probably just go for
> default+10000 or something, myself....
>
> You might want to take a peek at our test suite (src/tests/dejagnu),
> which fires up all the KDC programs on alternate ports, puts the
> proper specs in the config files, etc.  It's not terribly easy to
> read, though, unless you're familiar with Tcl already.
>
> Ken




More information about the Kerberos mailing list