Moving kerberos infrastructure

[John Hascall]

> I know just enough about Kerberos to screw things up badly, and I'm
> faced with my krb infrastructure running on hardware that is getting
> old enough to start having issues.  I have plenty of admin experience
> but for some reason I can never manage to wrap my head around all of
> the Kerberos intricacies at once.
> 
> What I need to do is move both my primary and secondary KDCs to
> different machines.  Not necessarily both at the same time, mind you,
> but everything does need to move eventually.  I'm pretty sure I can
> move the secondary without totally hosing everything but I'm not at
> all sure how to move the primary.  Does anyone have any handy pointers
> to documentation on doing this, or any tips?
> 
> Both servers are running MIT krb5 1.3.6.  Nothing special as far as I
> know.  The clients have the servers listed by DNS alias in krb5.conf;
> I'm not using SRV records but at least things aren't listed by IP.

It's not to bad really, I've done it several times.
As you surmise, it's pretty easy to setup your new
secondary, copy a DB over to it and point a few
test clients at it and see how it goes before switching
it in.  And if you make a few boo-boos probably nobody
notices anyway.

When switching the primary, you need to disable kadmind
on the old box, then copy the DB one last time to the new 
master before renaming/re-ip-ing it as the production master.
If you do this at an hour when passowrd changes and new
principal creations are unlikely, nobody should notice this
either (except boneheads who configured their machines to only
know about the master).

Make sure you have a proper keytab ready on the new box
for its future (production) name as well as the name you
test it under.


John