Upgrade strategies
Nico Williams
nico at cryptonector.com
Thu Feb 28 17:10:44 EST 2013
It might be useful to have a list of all features that should not be
used on a master with downlevel slaves. Here's a few that I know of:
- newer enctypes (AES was added in... 1.4 and since then Camellia is
the newest) for service keys, particularly krbtgt keys
- multiple MKVNOs (I forget when this was added)
- n-strikes user principal locking (IIRC that was in 1.8)
- extended policies (1.11)
There are probably others. I'm guessing PKINIT is a feature you don't
want to use in a master with downlevel slaves.
More information about the Kerberos
mailing list