Migrating principals between realms
Greg Hudson
ghudson at mit.edu
Thu Dec 13 14:41:57 EST 2018
On 12/12/2018 09:39 AM, Angel Kafazov wrote:> I need to migrate
principals from one kerberos server to another. Both
> servers have different realms. Is this possible?
It's tricky. If a principal has a password-based key, by default the
key is salted with the concatenation of the realm and principal name,
like "ATHENA.MIT.EDUraeburn". If you move the principal entry to the
new realm, the default salt changes and clients will compute the wrong key.
A workaround is to run kadmin's "renprinc" command on the principal
entry before migrating it, and then rename it back to what it was.
renprinc records the old default salt as an explicit salt in the
principal key data, effectively fixing its value so that the correct
salt will be presented to clients in the new realm.
I believe you will also need to use kdb5_util dump's "-mkey_convert"
option so that the principal key data will be encrypted in the master
key of the new realm.
This thread contains more details (but the use case was a full realm
rename, not migrating principal entries):
http://mailman.mit.edu/pipermail/kerberos/2014-June/019948.html
More information about the Kerberos
mailing list