MIT Kerberos production realm = mirror/copy to a test/dev realm?

Tareq Alrashid tma at case.edu
Sat May 12 12:58:35 EDT 2012 

Thanks again, Jason. I got the point 2nd time around :)
Tareq

On May 12, 2012, at 10:45 AM, Jason Edgecombe wrote:

> (replying back to list)
> 
> Propagation wouldn't be any different than a dump and reload. Just point your clients at the test server for testing. This also helps to test how well the old principals will migrate to the new version.
> 
> Jason
> 
> On 05/11/2012 07:04 PM, Tareq Alrashid wrote:
>> Thank you, Jason.
>> 
>> I forgot to mention, that PRODKRB.REALM.EDU production realm is at v5-1.6.3.
>> Need to setup a new KRBDEV.REALM.EDU to test and upgrade everything to v5.1.10.1.
>> And also upgrade away from DES to latest/strongest enctypes.
>> 
>> I have done a manual simple dump/load into new dev realm, and of course all principals are
>> added with abc at PRODKRB.REALM.EDU into the KRBDEV.REALM.EDU.
>> So not sure how propagation would be any different.
>> 
>> Thanks,
>> Tareq
>> 
>> On May 11, 2012, at 6:26 PM, Jason Edgecombe wrote:
>> 
>>> On 05/11/2012 01:44 PM, Tareq Alrashid wrote:
>>>>  Greetings,
>>>> 
>>>> The production Kerberos realm is decades old.  Never had a “real” test/development realm until now. Don’t ask!
>>>> 
>>>> How to best create or mirror an existing realm of all principals and all their information, except its under a new realm for testing of all that is to be implemented in the future?
>>>> 
>>>> My thinking with what I know its not possible considering how everything is meshed in a combination of realm/passwords/salts…etc.
>>>> 
>>>> But I ask just in case I am missing something.
>>>> 
>>>> Insights?
>>>> 
>>> Set up a test server as a slave of the prod server, then enable kadmin so that it acts like a master. You can trigger kprop by hand to sync prod to dev when you want.
>>> 
>>> You might not want an entire test realm, just a devel/test copy of the production realm. I deploy changes to my slave KDC's and point for clients at it for testing. After I'm satisfied, I roll out to production.
>>> 
>>> Jason
>> 
>

More information about the Kerberos mailing list