Change Realm Name
Russ Allbery
rra at stanford.edu
Fri Jul 9 13:59:04 EDT 2010
Josh Catana <jcatana at gmail.com> writes:
> Is it possible to change the name of a kerberos realm from OLD.PLACE.COM to
> NEW.PLACE.COM?
> Something like:
> kdb5_util dump -mkey_convert -new_mkey_file .k5.NEW.PLACE.COM krb5db.dump
> sed -i -e 's/OLD.PLACE.COM/NEW.PLACE.COM/g' krb5db.dump
> kdb5_util load -update krb5db.dump
> why doesn't this work?
Because all the keys in the KDC are salted with the old realm name.
IIRC, there's some way to permit this with recent Kerberos clients that
can support an alternative salt, but I don't remember the details of how
to make it work. But hopefully those keywords will help get you pointed
in the right direction.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list