[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to migrate from MIT krb5 -> Heimdal?

On Tue, 23 Jan 2007 14:14:34 -0800
David Wolfskill <dhw@mail-abuse.org> wrote:

> We are currently using Kerberos (MIT -- possibly "customized" -- on the
> master & slave servers; MIT on a few older client machines; Heimdal on
> the newer client machines) in a predominantly FreeBSD environment.
> This arrangement (where the master & slave KDC run MIT while the
> bulk of the clients run Heimdal) has been working as long as we do
> such things as run "kadmin" on one of the older client machines
> that has MIT krb5 installed, but we need to replace the client
> machine where we run the "kadmin" stuff with a newer one, and we
> would prefer to just use the plain "vanilla" Heimdal Kerberos 5
> implementation that we get "for free" with FreeBSD.
> We have no need whatsoever to have any concerns about interoperability
> with other Kerberos implementations, whether Kerberos 4 or from
> non-FreeBSD environments.
> Is there a way to copy the salient information from the MIT krb5 KDC to
> a shiny new Heimdal KDC in such a way that the Heimdal KDC can then
> actually use the information to create or validate tickets?

I don't use KDCs for anything but testing my products so take what I
say with a grain of salt but if you're using "standard" keytab files
my understanding is that Heimdal and MIT are completely compatible. You
may want to make sure Heimdal is configured to support all the enctypes
used in your current files but otherwise I would just try to create a
standard Heimdal KDC, import the keytab with ktutil and go.


Michael B Allen
PHP Active Directory SSO