MIT Kerberos production realm = mirror/copy to a test/dev realm?
Jason Edgecombe
jason at rampaginggeek.com
Sat May 12 10:45:36 EDT 2012
(replying back to list)
Propagation wouldn't be any different than a dump and reload. Just point
your clients at the test server for testing. This also helps to test how
well the old principals will migrate to the new version.
Jason
On 05/11/2012 07:04 PM, Tareq Alrashid wrote:
> Thank you, Jason.
>
> I forgot to mention, that PRODKRB.REALM.EDU production realm is at v5-1.6.3.
> Need to setup a new KRBDEV.REALM.EDU to test and upgrade everything to v5.1.10.1.
> And also upgrade away from DES to latest/strongest enctypes.
>
> I have done a manual simple dump/load into new dev realm, and of course all principals are
> added with abc at PRODKRB.REALM.EDU into the KRBDEV.REALM.EDU.
> So not sure how propagation would be any different.
>
> Thanks,
> Tareq
>
> On May 11, 2012, at 6:26 PM, Jason Edgecombe wrote:
>
>> On 05/11/2012 01:44 PM, Tareq Alrashid wrote:
>>> Greetings,
>>>
>>> The production Kerberos realm is decades old. Never had a “real” test/development realm until now. Don’t ask!
>>>
>>> How to best create or mirror an existing realm of all principals and all their information, except its under a new realm for testing of all that is to be implemented in the future?
>>>
>>> My thinking with what I know its not possible considering how everything is meshed in a combination of realm/passwords/salts…etc.
>>>
>>> But I ask just in case I am missing something.
>>>
>>> Insights?
>>>
>> Set up a test server as a slave of the prod server, then enable kadmin so that it acts like a master. You can trigger kprop by hand to sync prod to dev when you want.
>>
>> You might not want an entire test realm, just a devel/test copy of the production realm. I deploy changes to my slave KDC's and point for clients at it for testing. After I'm satisfied, I roll out to production.
>>
>> Jason
>
More information about the Kerberos
mailing list