[36487] in Kerberos
Re: Migrating to new Kerb server - How to move all principals and
daemon@ATHENA.MIT.EDU (Vignesh, Vanna G.)
Thu Sep 18 06:37:10 2014
From: "Vignesh, Vanna G." <vignesh@musc.edu>
To: Rick van Rein <rick@openfortress.nl>
Date: Thu, 18 Sep 2014 10:35:56 +0000
Message-ID: <52B62D8E-4E80-43FB-9B82-D3A046945761@musc.edu>
In-Reply-To: <0D17DBB0-BC10-43A3-8527-041407D79D88@openfortress.nl>
Content-Language: en-US
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="windows-1252"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hello Rick,
I think there is no back end store. All the principals are created by running add princ command. All the data rest within the Kerberos. Is there no way I can retrieve it to other Kerberos master server?
Sent from my iPhone
> On Sep 18, 2014, at 2:11 AM, "Rick van Rein" <rick@openfortress.nl> wrote:
>
> Hello Vanna,
>
> If your backend store is LDAP, I would expect it to be portable. You can actually try that by having multiple KDCs use the same LDAP, because the KDC has readonly access. You could temporarily shut down the write actions during the transition (kadmin, kpasswd) but even there I doubt it would be problematic, as LDAP makes atomic object updates and Kerberos contains its data in single objects.
>
> For other backends I don’t know — maybe a transition to LDAP first, but I don’t know if that’s documented anywhere.
>
> Does this help?
>
> Cheers,
> -Rick
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos