Changing the realm of an existing KDC

Shivakeshav Santi ss488 at cornell.edu
Mon Nov 26 11:02:27 EST 2007 

HI Matt,

    Thank you for the response, I think what you wrote was not 
incorporated. Can you send me the stuff you wrote if you have it with you.

Thanks,

At 04:27 PM 11/21/2007, Matt Crawford wrote:

>On Nov 21, 2007, at 2:40 PM, Shivakeshav Santi wrote:
>
>>     Is there way to change the realm of an existing KDC. I know
>>that we can
>>create a new KDC with a different realm but is there a way to get
>>the data
>>from the OLD KDC (which has a different realm) into this new KDC.
>>
>>For ex: I have a KDC with a realm : DEF.ABC.EDU
>>Now I want to change the realm to : ABC.EDU
>
>And presumably you want to keep the user principals' records intact.
>
>I had to do this long ago. I added a "-new_realm" option to
>kdb5_util's dump function that changed the user keys with the regular
>salt into keys with "special" salt, with the old name as the value of
>the special salt. The next time each user changed their password, the
>special salt entry went away.
>
>I suspect what I wrote then was not incorporated and maintained and
>would need revision now.
>
>
>I also provided sysadmins a keytab-convert program ...
>
>KEYTAB-CONVERT(1)                                            KEYTAB- 
>CONVERT(1)
>
>
>
>NAME
>        keytab-convert - Update a Kerberos keytab file for a change
>of realm.
>
>SYNOPSIS
>        keytab-convert [-v] [-o OLDREALM] [-n NEWREALM] [keytabfile]
>
>DESCRIPTION
>        The  keytab-convert  command  scans  the  named  keytab, or
>the default
>        keytab /etc/krb5.keytab if omitted, looking for principals
>belonging to
>        NEWREALM.   Only  if  none are found, it will create a
>duplicate keytab
>        entry for each entry found in OLDREALM, keeping the same key
>and  kvno
>        and changing the realm to NEWREALM.
>
>        This  is only useful, of course, if keys are to be preserved
>during the
>        transition to NEWREALM.
>
>        The default NEWREALM is the host's default realm from /etc/ krb5.conf.
>
>        The default OLDREALM is the realm of the existing keytab
>entries,  but
>        only if they all have the same realm.
>
>
>OPTIONS
>        -n NEWREALM
>               The  new keytab entries are given a realm of NEWREALM
>instead of
>               the host's default realm.
>
>
>        -o OLDREALM
>               Keytab entries with a realm of OLDREALM are duplicated
>into  the
>               new  realm.   This option is required if the keytab
>already con-
>               tains entries from two or more realms.
>
>
>        -v     Cause verbose output during execution.
>
>
>SEE ALSO
>        ktutil(8), kadmin(8).
>
>BUGS
>        None known.
>

Shivakeshav Santi

Programmer Analyst/Spec

Cornell Information Technologies
120 Maple Avenue
Cornell University
Tel :6072551916(O)
       6075926806(M)
       6073302080(H)

Ability may get you to the top, but only character will keep you there .....

More information about the krbdev mailing list