Migrating Krb5 realm

Andreas Ladanyi andreas.ladanyi at kit.edu
Wed May 27 04:09:25 EDT 2015

Hi Ben,

thx for your explanation. I have to look for an easier way. I think an
export and import of the user principal names without realmname from the
old to the new realm will be easier. One disadvantage are a lot of new
keytabs and users have to set new passwords.

> The realm name is part of the salt used as input to the password hashing
> process.  Normally, the salt is not stored in the database and the default
> salt is computed at runtime by concatenating the realm and principal name.
> Changing the realm without changing the password-derived keys will require
> manually setting an explicit salt on all password-derived keys.  Renaming
> a realm is not a common operation, so good tooling has not been developed
> and incorporated into the release.
> -Ben Kaduk

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5306 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20150527/e54d7009/attachment.bin

More information about the Kerberos mailing list