Migrating a Kerberos Realm

Edward Murrell edward at dlconsulting.com
Wed Nov 29 21:25:23 EST 2006 

I thought I'd post back here how I got on.

So it turned out to be a funky combination of my earlier silliness in
having single names as hostnames (apollo, instead of apollo.office),
returning the single hostname in the reverse DNS, and having a single
name set in the /etc/hostname (which I'm sure should be the shortname).

This led to some weird behaviour where I could connect to a machine via
ssh, and use the new password, but couldn't SSO through to it without a
password.

I also discovered the hard way how to do name mapping;
In your krb5.conf, under domain_realm, you need something like;

OFFICE = {
        auth_to_local = RULE:[1:$1]
        auth_to_local = RULE:[2:$1]
        auth_to_local = DEFAULT
}

This is probably really really bad unless your trying to migrate a realm
(eg, user at REALM1 is the same person as user at REALM2).

In the meantime, I'm resigned to having really big krb5.conf files while
in transition. Such is life.

--
The next step will be to roll out a full krb5.conf to every machine, add
proper host/complete.domain.name.com at REALM to to each keytab, convert
all the machines over to using the new realm, then move the users one by
one to the new domain. Cool! :) Hopefully, I'll move over the entire
infrastructure, switch all the users over, and most users will not be
any the wiser, except when I tell them to re-enter their password.

Cheers
Edward

Ken Hornstein wrote:
>> As requested;
>> [...]
>>     
>
> I confess ... I'm not sure what's going wrong here.  A common error is
> that the enctypes or the kvno's don't match ... but you seem to have that
> all correct.
>
> >From my memory, the error you were seeing was "Key table entry not found",
> right?  That's KRB5_KT_NOTFOUND, and that's almost certainly coming from
> lib/kdb/keytab.c.  I guess if I were you, I would run the KDC under a debugger
> and see exactly why I'm getting that error.
>
> --Ken
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list