[32500] in Kerberos
Re: Change Realm Name
daemon@ATHENA.MIT.EDU (Russ Allbery)
Fri Jul 9 13:59:10 2010
From: Russ Allbery <rra@stanford.edu>
To: kerberos@mit.edu
In-Reply-To: <AANLkTikojW7XPnNjllQEbklDrUPozKtSN0QIpBkLML6f@mail.gmail.com>
(Josh Catana's message of "Fri, 9 Jul 2010 11:51:20 -0400")
Date: Fri, 09 Jul 2010 10:59:04 -0700
Message-ID: <87oceg4jvb.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Josh Catana <jcatana@gmail.com> writes:
> Is it possible to change the name of a kerberos realm from OLD.PLACE.COM to
> NEW.PLACE.COM?
> Something like:
> kdb5_util dump -mkey_convert -new_mkey_file .k5.NEW.PLACE.COM krb5db.dump
> sed -i -e 's/OLD.PLACE.COM/NEW.PLACE.COM/g' krb5db.dump
> kdb5_util load -update krb5db.dump
> why doesn't this work?
Because all the keys in the KDC are salted with the old realm name.
IIRC, there's some way to permit this with recent Kerberos clients that
can support an alternative salt, but I don't remember the details of how
to make it work. But hopefully those keywords will help get you pointed
in the right direction.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
