[38397] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Migrating principals between realms

daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Dec 13 14:42:15 2018

To: Angel Kafazov <akafazov@cst-bg.net>, kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <f362d466-d9f7-6d25-112f-b438b7e643c4@mit.edu>
Date: Thu, 13 Dec 2018 14:41:57 -0500
MIME-Version: 1.0
In-Reply-To: <CAJQo--uVrJBe4=oFFLTweePpTJ=koME+HnS=LKLuvgY=NMTYHw@mail.gmail.com>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

On 12/12/2018 09:39 AM, Angel Kafazov wrote:> I need to migrate 
principals from one kerberos server to another. Both
> servers have different realms. Is this possible?

It's tricky.  If a principal has a password-based key, by default the 
key is salted with the concatenation of the realm and principal name, 
like "ATHENA.MIT.EDUraeburn".  If you move the principal entry to the 
new realm, the default salt changes and clients will compute the wrong key.

A workaround is to run kadmin's "renprinc" command on the principal 
entry before migrating it, and then rename it back to what it was. 
renprinc records the old default salt as an explicit salt in the 
principal key data, effectively fixing its value so that the correct 
salt will be presented to clients in the new realm.

I believe you will also need to use kdb5_util dump's "-mkey_convert" 
option so that the principal key data will be encrypted in the master 
key of the new realm.

This thread contains more details (but the use case was a full realm 
rename, not migrating principal entries):

http://mailman.mit.edu/pipermail/kerberos/2014-June/019948.html
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post