Migrating to new hardware - best practises?

[Richard E. Silverman]

Bjørn Tore Sund <bjorn.sund at adm.uib.no> writes:

> On 6/11/11 8:46 AM, Richard E. Silverman wrote:
>> Bjørn Tore Sund<bjorn.sund at adm.uib.no>  writes:
>>
>>> Hi,
>>>
>>> We have been running our KDCs on a dual Sun Solaris 10 setup for five
>>> years, currently at MIT Kerberos 1.6.  The hardware is out of support, Sun
>>> Solaris is going away by local policy and so we need to migrate to a dual
>>> RHEL 6 setup with whatever version of MIT Kerberos is current from rpms on
>>> that platform - currently 1.8.2.
>>>
>>> After googling for a while I thought I'd ask here - is there a best
>>> practices document we can use to plan the procedure?
>>
>> One suggestion: if you're using file-based storage for the principal
>> database, do a dump and reload rather than try to copy the binary files
>> over; they will likely not be compatible.  On the old host:
>>
>> # dump the database to the file kerberos.db
>> #
>> $ sudo kdb5_util -r REALM dump kerberos.db
>>
>> ... and on the new host:
>>
>> # initialize a new database
>> #
>> $ sudo kdb5_util -r REALM create -s
>>
>> # and load your principal data into it
>> #
>> $ sudo kdb5_util -r REALM load kerberos.db
>
> Thanks.  Going thoroughly through
> http://web.mit.edu/kerberos/krb5-1.8/krb5-1.8.3/doc/krb5install.html we
> found an "Upgrading existing Kerberos V5 installations" section and other
> useful stuff giving us that procedure.
>
> Main challenge now is that we've discovered we need AD to go up from W2K3
> to W2K8 before we can make the Unix-side switch or we break cross-realm
> due to encryption incompatibility.

Actually, no: there's a registry key you can set on the W2K8 machines
which allows them to use the older ciphers, including the DES
inter-realm keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\parameters\SupportedEncryptionTypes
 = DWORD 0x7fffffff

- Richard