[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MIT & Heimdal playing together?

Thank you, Henry, for your precise & informative answer!

I found the hprop option you mention: --source=mit-dump

I think this kdb5_util dump option is necessary for compatibility: -b7

I transfered our database as follows:

ssh tor kdb5_util dump -b7 | hprop -d - --source=mit-dump -n | hpropd -n

Unfortunately, it's not quite working:

kadmin> list *
kadmin: get host/tor.lat@LAT: No correct master key
kadmin: get smtp/tor.lat@LAT: No correct master key

I suspect the problem is that the KDCs use different encryption types.  
Our MIT KDC uses des3-hmac-sha1:

kdc.conf: master_key_type = des3-hmac-sha1

While I guess our Heimdal KDC uses des-cbc-crc:

kdc.conf: #master_key_type = des-cbc-crc

I found this lone message concerning transferring Kerberos databases  
from MIT to Heimdal:  

However I haven't succeeded in re-keying our database. I thought I need  
to create a new des-cbc-crc master key with which to re-key our  
database, but kdb5_util stash doesn't allow this.

Has anyone here any suggestions? Or should I ask on the MIT list?

Thanks very much everyone,


On Oct 4, 2004, at 11:48 AM, Henry B.Hotz wrote:

> Authentication and password changes (kinit and kpasswd) are compatible  
> (at least on the wire, and sometimes elsewhere).
> Administration and DB propagation (kadmin and {h,k}prop[d]) are not  
> compatible.
> There is an option for hprop (or is it hpropd?) to support importing a  
> MIT dump file.  Someone was asking a week or two ago about the other  
> direction, but AFAIK there's nothing implemented for that.
> On Oct 3, 2004, at 11:40 AM, ms419@freezone.co.uk wrote:
>> I'm running MIT Kerberos on one system & Heimdal on another. I tried  
>> transferring my Kerberos database from MIT to Heimdal using kdb5_util  
>> dump & kadmin: load, but I merely got a bunch of errors:
>> error parsing created event
>> Is there any way to transfer a Kerberos database from MIT to Heimdal?
>> I also tried connecting to the MIT kadmind using the Heimdal kadmin.  
>> Unfortunately, kadmin hung indefinitely after prompting for my admin  
>> principle's password.
>> Is there, perhaps, some documentation discussing MIT & Heimdal  
>> interoperation? What's possible & what's not?
>> I found some related topics on Google & Gmane, but so far no answers.
>> Thank you for any help!
>> Jack
> ----------------------------------------------------------------------- 
> -----
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu