Migrating from 1 Kerberos Realm to another, within the same DNS Domain.

[Jr Aquino]

I am attempting to execute a migration from an older Krb5 system to a  
new Krb5 - eDirectory system. (2 different KDC's)

I am having trouble determining the best option for the clients to  
respect the new realm.

Is it possible to have multiple krb5 Realms within the same DNS Domain  
and have the clients respect the difference?

So far, it appears that I have the following options:

0. Change the DNS Domain name suffix for newly migrated hosts.
1. Create/Designate hierarchical DNS Sub-domains, migrate each system  
in each sub-domain in bulk. <- Add lines to every client krb5.conf to  
recognize the split.
2. Add thousands of lines to every client's krb5.conf file to map  
every single migrated host to the new realm.
3. Use dns_lookup_realm in the clients krb5.conf file <This appears to  
be very broken and documented on a few mailing lists>

Can anyone confirm this list is complete, or suggest an alternative  
solution to migrate the hosts while allowing the clients to respect  
both Realms simultaneously?

Jr Aquino | Information Security Engineer
Citrix Online Division

Citrix Systems, Inc.
6500 Hollister Avenue
Goleta, CA  93117 USA
www.citrixonline.com

Desk: 805-690-3478
Email: jr.aquino at citrixonline.com

www.gotomypc.com | Access Your PC from Anywhere
www.gotomeeting.com | Online Meetings Made Easy
www.gotoassist.com | Remote Support Made Easy