[32463] in Kerberos
Renaming a Kerberos realm (all principal info stored in LDAP DIT)
daemon@ATHENA.MIT.EDU (Holger Rauch)
Tue Jun 15 05:40:08 2010
Date: Tue, 15 Jun 2010 11:39:08 +0200
From: Holger Rauch <holger.rauch@empic.de>
To: kerberos@mit.edu
Message-ID: <20100615093908.GA20564@heitec.de>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1587420534=="
Errors-To: kerberos-bounces@mit.edu
--===============1587420534==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="9amGYk9869ThD9tj"
Content-Disposition: inline
--9amGYk9869ThD9tj
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Hi,
I would like to know whether it's possible to rename a Kerberos realm
when all Kerberos related info is stored in an LDAP DIT (OpenLDAP and
MIT Kerberos running an Debian Lenny AMD64)?
Reason for this is that I will move my KDC to a new internal subnet
(having a new internal DNS domain) and I would like my Kerberos realm
to be "in sync" with the new DNS domain name.
The Kerberos related info is stored in an "ou" (organizationUnit)
subtree named "krb5" (initially populated with kdb5_ldap_util).
Is it "safe" to
- shutdown both KDC and kadmin server
/etc/init.d/krb5-kdc stop
/etc/init.d/krb5-admin-server stop
- shutdown OpenLDAP (/etc/init.d/slapd stop)
- dump the DIT (slpcat -l <file_name>)
- open DIT file in editor and change all occurrences from
MY.OLD.REALM to MY.NEW.REALM
- modify the realm name in /etc/krb5.conf and /etc/krb5kdc/kdc.conf
accordingly
- delete old LDAP databases
- start OpenLDAP in order to obtain a fresh database
(/etc/init.d/slapd start)
- shutdown OpenLDAP again (/etc/init.d/slapd stop)
- add DIT again (slapadd -l <file_name>)
- restart OpenLDAP (/etc/init.d/slapd start)
or did I forget any relevant step(s)/substep(s)?
Thanks in advance for sharing your thoughts & kind regards,
Holger
--9amGYk9869ThD9tj
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkwXSjwACgkQbiVtWpZdKQKAKACfXn9bChYj52fmJmTRxy//Jn99
dPcAn2hJ/T2DD0QASiIWb3ZM5Xwpk/j6
=db3W
-----END PGP SIGNATURE-----
--9amGYk9869ThD9tj--
--===============1587420534==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1587420534==--
