Migrating Krb5 realm

Benjamin Kaduk kaduk at MIT.EDU
Thu May 21 12:23:28 EDT 2015

On Thu, 21 May 2015, Andreas Ladanyi wrote:

> Hi,
> i want to migrate my old Krb5 Realm. I have a Krb5 own DB and want to
> use LDAP to hold the principals in the future. Also i want to change the
> realm name.
> I read a lot about dumping the Krb5 DB with kdb5_util and restore them.
> I also read something about replacing the master key or to reencrypt the
> Krb5 DB with a new master key when dumping the DB with kdb5_util.
> I dont read something about changing the realm name in the dumping
> process. So iam asking myself the question if it is possible to dump,
> reencrypt and change the realm name without changing the principals
> password hashes ?

The realm name is part of the salt used as input to the password hashing
process.  Normally, the salt is not stored in the database and the default
salt is computed at runtime by concatenating the realm and principal name.
Changing the realm without changing the password-derived keys will require
manually setting an explicit salt on all password-derived keys.  Renaming
a realm is not a common operation, so good tooling has not been developed
and incorporated into the release.

-Ben Kaduk

More information about the Kerberos mailing list