Re: MIT & Heimdal playing together?

[Benjamin P Myers <dative@sukrahelitek.com>]

I think you can also use hprop with the -m flag to decrypt mit's dump with 
your old master key.  It worked fine for me converting from a mit 1.2.7 kdc 
with whatever the default master key type was.  You may or may not have the 
strange suse 9.0 issue described here:

http://www.stacken.kth.se/lists/heimdal-discuss/2003-10/msg00052.html

hth.
-ben

On Thursday 07 October 2004 06:57 pm, Henry B. Hotz wrote:
> On Oct 6, 2004, at 3:37 PM, ms419@freezone.co.uk wrote:
> > I suspect the problem is that the KDCs use different encryption types.
> > Our MIT KDC uses des3-hmac-sha1:
> >
> > kdc.conf: master_key_type = des3-hmac-sha1
> >
> > While I guess our Heimdal KDC uses des-cbc-crc:
> >
> > kdc.conf: #master_key_type = des-cbc-crc
> >
> > I found this lone message concerning transferring Kerberos databases
> > from MIT to Heimdal:
> > http://www.stacken.kth.se/lists/heimdal-discuss/2001-10/msg00049.html
> >
> > However I haven't succeeded in re-keying our database. I thought I
> > need to create a new des-cbc-crc master key with which to re-key our
> > database, but kdb5_util stash doesn't allow this.
> >
> > Has anyone here any suggestions? Or should I ask on the MIT list?
>
> Is there an MIT option to do the dump in decrypted form?  That might be
> something to ask on the MIT kerberos list if you can't find one.  Then
> you just let Heimdal re-encrypt it.  No need to transfer master keys at
> all.
>
> On Heimdal the master key file is just a normal keytab.  You can use
> all the normal tools to create it with the right kvno/enctype to match
> your old MIT key.
> ------------------------------------------------------------------------
> ----
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu