[5460] in Kerberos
Re: migrating kerberos to another server
daemon@ATHENA.MIT.EDU (Jonathan I. Kamens)
Tue Jul 4 12:54:40 1995
To: kerberos@MIT.EDU
Date: 4 Jul 1995 16:40:33 GMT
From: jik@cam.ov.com (Jonathan I. Kamens)
In article <3talmo$1m8@lantana.singnet.com.sg>, koonteck@merlion.singnet.com.sg (Chua Koon Teck) writes:
|> I am currently trying to migrate my kerberos server from one server to another.
|> My question is can I simply copy all the kerberos binaries such as kerberos,
|> kpropd, kadmind and all the principal files to the new server. I also need to
|> copy the .k file. Do I need to reload the principal files in the new machine.
|> How can I change the master password of the kerberos ?
If the target machine for the move uses the same byte order and the same
integer size as the source machine, then you can probably just copy all of the
binaries and database files to the new machine. However, when copying the
database file, be careful to use something that understands sparse files
(e.g., GNU tar's "--sparse" option), or you'll end up with a database taking
up a lot more space then it needs to on the target machine.
A safer way to do the move is to use kdb_util (I'm assuming that you're
talking about V4 Kerberos, rather than V5, because you mentioned ".k" instead
of ".k5-REALM"; in the future, when you're posting to comp.protocols.kerberos
or sending mail to kerberos@mit.edu, please mention what version of Kerberos
you're using and what distribution of it (e.g., MIT, Cygnus, etc.) as well) to
dump the database on the source machine and then reload it on the target
machine. That way, you don't have to worry about byte order or integer sizes,
and you can be sure that the file will be created sparse on the target machine.
If you're using V5 instead of V4, you'd use kdb5_edit rather than kdb_util to
do the dump and load.
In V4, kdb_util has a "new_master_key" command which will dump the database
with a new master key. You then need to reload the database with the kdb_util
"load" command and then stash your new master key with kdb_stash. In V5,
there's currently no easy way to change the master key. I just finished
implementing changes to OV's version of kdb5_edit to make it possible to do
this; I'm not sure if I'll be able to give those patches back to MIT, but I
certainly hope to.
--
Jonathan Kamens | OpenVision Technologies, Inc. | jik@cam.ov.com
