[36213] in Kerberos
Re: copy users from one realm to another
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jun 23 16:54:34 2014
Message-ID: <53A893F9.1090907@mit.edu>
Date: Mon, 23 Jun 2014 16:54:17 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: "Paul B. Henson" <henson@acm.org>, kerberos@mit.edu
In-Reply-To: <015101cf8f20$a56e7a00$f04b6e00$@acm.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 06/23/2014 04:20 PM, Paul B. Henson wrote:
> Am I misremembering? Is there any way to copy an existing Kerberos database
> for realm A to realm B without requiring resetting passwords?
It's possible in theory, but we don't currently provide tooling for it.
The problems I'm aware of include:
1. As you noted, the default salt of a principal includes the realm
name. To rename a principal entry with a password-based key, you have
to modify the key data of that principal to include an explicit salt.
We provide a kadmin operation which does that for a single principal,
but not for a whole realm.
2. The master key stash file (since 1.7) is a keytab file with the key
filed under K/M@oldrealm. This has to be modified to have the key filed
under K/M@newrealm.
3. krbtgt principal entries (local and cross-realm) need to have their
second components renamed as well as their realm names. Cross-realm
krbtgt principal entries need to be renamed in the foreign database as
well as the local one.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
