MIT Kerberos production realm = mirror/copy to a test/dev realm?
Tareq Alrashid
tma at case.edu
Sat May 12 12:58:35 EDT 2012
Thanks again, Jason. I got the point 2nd time around :)
Tareq
On May 12, 2012, at 10:45 AM, Jason Edgecombe wrote:
> (replying back to list)
>
> Propagation wouldn't be any different than a dump and reload. Just point your clients at the test server for testing. This also helps to test how well the old principals will migrate to the new version.
>
> Jason
>
> On 05/11/2012 07:04 PM, Tareq Alrashid wrote:
>> Thank you, Jason.
>>
>> I forgot to mention, that PRODKRB.REALM.EDU production realm is at v5-1.6.3.
>> Need to setup a new KRBDEV.REALM.EDU to test and upgrade everything to v5.1.10.1.
>> And also upgrade away from DES to latest/strongest enctypes.
>>
>> I have done a manual simple dump/load into new dev realm, and of course all principals are
>> added with abc at PRODKRB.REALM.EDU into the KRBDEV.REALM.EDU.
>> So not sure how propagation would be any different.
>>
>> Thanks,
>> Tareq
>>
>> On May 11, 2012, at 6:26 PM, Jason Edgecombe wrote:
>>
>>> On 05/11/2012 01:44 PM, Tareq Alrashid wrote:
>>>> Greetings,
>>>>
>>>> The production Kerberos realm is decades old. Never had a “real” test/development realm until now. Don’t ask!
>>>>
>>>> How to best create or mirror an existing realm of all principals and all their information, except its under a new realm for testing of all that is to be implemented in the future?
>>>>
>>>> My thinking with what I know its not possible considering how everything is meshed in a combination of realm/passwords/salts…etc.
>>>>
>>>> But I ask just in case I am missing something.
>>>>
>>>> Insights?
>>>>
>>> Set up a test server as a slave of the prod server, then enable kadmin so that it acts like a master. You can trigger kprop by hand to sync prod to dev when you want.
>>>
>>> You might not want an entire test realm, just a devel/test copy of the production realm. I deploy changes to my slave KDC's and point for clients at it for testing. After I'm satisfied, I roll out to production.
>>>
>>> Jason
>>
>
More information about the Kerberos
mailing list