Migrating to new hardware - best practises?

Bjørn Tore Sund bjorn.sund at adm.uib.no
Tue Jun 14 05:26:37 EDT 2011


On 6/11/11 8:46 AM, Richard E. Silverman wrote:
> Bjørn Tore Sund<bjorn.sund at adm.uib.no>  writes:
>
>> Hi,
>>
>> We have been running our KDCs on a dual Sun Solaris 10 setup for five
>> years, currently at MIT Kerberos 1.6.  The hardware is out of support, Sun
>> Solaris is going away by local policy and so we need to migrate to a dual
>> RHEL 6 setup with whatever version of MIT Kerberos is current from rpms on
>> that platform - currently 1.8.2.
>>
>> After googling for a while I thought I'd ask here - is there a best
>> practices document we can use to plan the procedure?
>
> One suggestion: if you're using file-based storage for the principal
> database, do a dump and reload rather than try to copy the binary files
> over; they will likely not be compatible.  On the old host:
>
> # dump the database to the file kerberos.db
> #
> $ sudo kdb5_util -r REALM dump kerberos.db
>
> ... and on the new host:
>
> # initialize a new database
> #
> $ sudo kdb5_util -r REALM create -s
>
> # and load your principal data into it
> #
> $ sudo kdb5_util -r REALM load kerberos.db

Thanks.  Going thoroughly through 
http://web.mit.edu/kerberos/krb5-1.8/krb5-1.8.3/doc/krb5install.html we 
found an "Upgrading existing Kerberos V5 installations" section and 
other useful stuff giving us that procedure.

Main challenge now is that we've discovered we need AD to go up from 
W2K3 to W2K8 before we can make the Unix-side switch or we break 
cross-realm due to encryption incompatibility.

> Also, a warning: there is a bug in 1.8 which sometimes prevents
> authentication from Unix clients to Windows-based services when the
> service ticket employs an RC4 session key.  The bug was not present in
> 1.6.3, and disappeared with 1.9.1.  I downgraded from 1.8 to 1.6.3 to
> buy myself time until I had a chance to debug it, but 1.9.1 came out
> first, so I never did track it down.

Thanks.  Useful to know, though since I wrote that RHEL6 is up to 
something they call 1.9-9.  Doesn't seem to have the 1.9.1 bugfix, 
though, according to http://rhn.redhat.com/errata/RHBA-2011-0571.html
This could get interesting but the AD upgrade will take time so things 
may solve themselves.

Thank you very much for your feedback.

-BT
-- 
Bjørn Tore Sund       Phone: 555-84894   Email:   bjorn.sund at adm.uib.no
IT department         VIP:   81724       Support: http://bs.uib.no
Univ. of Bergen

When in fear and when in doubt, run in circles, scream and shout.



More information about the Kerberos mailing list