need project review
raeburn at MIT.EDU
Mon Apr 7 19:21:30 EDT 2008
On Apr 7, 2008, at 18:59, Henry B. Hotz wrote:
> You have two design possibilities:
> 1) keep old key around in the new keytab file and make the KDC handle
> multiple master keys.
> 2) When you write a new master key, you recode the entire database.
> This could be a very big operation, so you may want to just shut down
> the KDC for the duration. In turn this means you are depending on
> client failover to other KDC's to maintain service availability.
#2 is incompatible with the KDC using an automatically-replicated (or
simply shared) LDAP service for data storage, and keeping other KDCs
running in the interim. Unless, I suppose, you find some way to
configure it to keep both sets of data in LDAP at the same time, and
switch the KDCs over after converting.
More information about the krbdev