copy users from one realm to another

Paul B. Henson henson at acm.org
Mon Jun 23 16:20:49 EDT 2014


So our administration has decided they want to change our edu domain, which
means with current edu policy we lose the old one 8-/. We're currently
looking at how best to handle this nightmare (and thanking our lucky stars
we're not going to be the ones that have to tell faculty the email address
they've had for 30 years will stop working). Right now, we're planning on
standing up separate Kerberos servers for the new realm alongside our
existing ones. For our LDAP servers, we're going to do the same thing, and
given LDAP just stores a SSHA hash of the password, we're going to be able
to bring along the passwords and cutover users to the new LDAP servers for
the new domain with no hassle.

I'm not sure that we can do that for Kerberos though. We are currently using
the LDAP backend, so it would be pretty trivial to rip through it and do a
s/old.edu/new.edu/g like we plan to with LDAP, but I seem to recall that
Kerberos uses the realm as part of the password hash? Which would make all
of the passwords invalid and require users to update their password via our
identity management portal before they would be able to use services
authenticated by the new Kerberos realm.

Am I misremembering? Is there any way to copy an existing Kerberos database
for realm A to realm B without requiring resetting passwords?

Thanks much.



More information about the Kerberos mailing list