Migrating to new hardware - best practises?
Richard E. Silverman
res at qoxp.net
Sat Jun 11 02:46:13 EDT 2011
Bjørn Tore Sund <bjorn.sund at adm.uib.no> writes:
> Hi,
>
> We have been running our KDCs on a dual Sun Solaris 10 setup for five
> years, currently at MIT Kerberos 1.6. The hardware is out of support, Sun
> Solaris is going away by local policy and so we need to migrate to a dual
> RHEL 6 setup with whatever version of MIT Kerberos is current from rpms on
> that platform - currently 1.8.2.
>
> After googling for a while I thought I'd ask here - is there a best
> practices document we can use to plan the procedure?
One suggestion: if you're using file-based storage for the principal
database, do a dump and reload rather than try to copy the binary files
over; they will likely not be compatible. On the old host:
# dump the database to the file kerberos.db
#
$ sudo kdb5_util -r REALM dump kerberos.db
... and on the new host:
# initialize a new database
#
$ sudo kdb5_util -r REALM create -s
# and load your principal data into it
#
$ sudo kdb5_util -r REALM load kerberos.db
Also, a warning: there is a bug in 1.8 which sometimes prevents
authentication from Unix clients to Windows-based services when the
service ticket employs an RC4 session key. The bug was not present in
1.6.3, and disappeared with 1.9.1. I downgraded from 1.8 to 1.6.3 to
buy myself time until I had a chance to debug it, but 1.9.1 came out
first, so I never did track it down.
--
Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list