Changing the realm of an existing KDC

Matt Crawford crawford at fnal.gov
Wed Nov 21 16:27:14 EST 2007 

On Nov 21, 2007, at 2:40 PM, Shivakeshav Santi wrote:

>     Is there way to change the realm of an existing KDC. I know  
> that we can
> create a new KDC with a different realm but is there a way to get  
> the data
> from the OLD KDC (which has a different realm) into this new KDC.
>
> For ex: I have a KDC with a realm : DEF.ABC.EDU
> Now I want to change the realm to : ABC.EDU

And presumably you want to keep the user principals' records intact.

I had to do this long ago. I added a "-new_realm" option to  
kdb5_util's dump function that changed the user keys with the regular  
salt into keys with "special" salt, with the old name as the value of  
the special salt. The next time each user changed their password, the  
special salt entry went away.

I suspect what I wrote then was not incorporated and maintained and  
would need revision now.


I also provided sysadmins a keytab-convert program ...

KEYTAB-CONVERT(1)                                            KEYTAB- 
CONVERT(1)



NAME
        keytab-convert - Update a Kerberos keytab file for a change  
of realm.

SYNOPSIS
        keytab-convert [-v] [-o OLDREALM] [-n NEWREALM] [keytabfile]

DESCRIPTION
        The  keytab-convert  command  scans  the  named  keytab, or  
the default
        keytab /etc/krb5.keytab if omitted, looking for principals  
belonging to
        NEWREALM.   Only  if  none are found, it will create a  
duplicate keytab
        entry for each entry found in OLDREALM, keeping the same key   
and  kvno
        and changing the realm to NEWREALM.

        This  is only useful, of course, if keys are to be preserved  
during the
        transition to NEWREALM.

        The default NEWREALM is the host's default realm from /etc/ 
krb5.conf.

        The default OLDREALM is the realm of the existing keytab   
entries,  but
        only if they all have the same realm.


OPTIONS
        -n NEWREALM
               The  new keytab entries are given a realm of NEWREALM  
instead of
               the host's default realm.


        -o OLDREALM
               Keytab entries with a realm of OLDREALM are duplicated  
into  the
               new  realm.   This option is required if the keytab  
already con-
               tains entries from two or more realms.


        -v     Cause verbose output during execution.


SEE ALSO
        ktutil(8), kadmin(8).

BUGS
        None known.

More information about the krbdev mailing list