copy users from one realm to another
Greg Hudson
ghudson at MIT.EDU
Mon Jun 23 16:54:17 EDT 2014
On 06/23/2014 04:20 PM, Paul B. Henson wrote:
> Am I misremembering? Is there any way to copy an existing Kerberos database
> for realm A to realm B without requiring resetting passwords?
It's possible in theory, but we don't currently provide tooling for it.
The problems I'm aware of include:
1. As you noted, the default salt of a principal includes the realm
name. To rename a principal entry with a password-based key, you have
to modify the key data of that principal to include an explicit salt.
We provide a kadmin operation which does that for a single principal,
but not for a whole realm.
2. The master key stash file (since 1.7) is a keytab file with the key
filed under K/M at oldrealm. This has to be modified to have the key filed
under K/M at newrealm.
3. krbtgt principal entries (local and cross-realm) need to have their
second components renamed as well as their realm names. Cross-realm
krbtgt principal entries need to be renamed in the foreign database as
well as the local one.
More information about the Kerberos
mailing list