Migrating Krb5 realm
Andreas Ladanyi
andreas.ladanyi at kit.edu
Wed May 27 04:09:25 EDT 2015
Hi Ben,
thx for your explanation. I have to look for an easier way. I think an
export and import of the user principal names without realmname from the
old to the new realm will be easier. One disadvantage are a lot of new
keytabs and users have to set new passwords.
Andy
> The realm name is part of the salt used as input to the password hashing
> process. Normally, the salt is not stored in the database and the default
> salt is computed at runtime by concatenating the realm and principal name.
> Changing the realm without changing the password-derived keys will require
> manually setting an explicit salt on all password-derived keys. Renaming
> a realm is not a common operation, so good tooling has not been developed
> and incorporated into the release.
>
> -Ben Kaduk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5306 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20150527/e54d7009/attachment.bin
More information about the Kerberos
mailing list