[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to migrate from MIT krb5 -> Heimdal?

On Tue, 2007-01-23 at 21:04 -0500, Michael B Allen wrote:
> On Tue, 23 Jan 2007 14:14:34 -0800
> David Wolfskill <dhw@mail-abuse.org> wrote:
> > We are currently using Kerberos (MIT -- possibly "customized" -- on the
> > master & slave servers; MIT on a few older client machines; Heimdal on
> > the newer client machines) in a predominantly FreeBSD environment.
> > 
> > This arrangement (where the master & slave KDC run MIT while the
> > bulk of the clients run Heimdal) has been working as long as we do
> > such things as run "kadmin" on one of the older client machines
> > that has MIT krb5 installed, but we need to replace the client
> > machine where we run the "kadmin" stuff with a newer one, and we
> > would prefer to just use the plain "vanilla" Heimdal Kerberos 5
> > implementation that we get "for free" with FreeBSD.
> > 
> > We have no need whatsoever to have any concerns about interoperability
> > with other Kerberos implementations, whether Kerberos 4 or from
> > non-FreeBSD environments.
> > 
> > Is there a way to copy the salient information from the MIT krb5 KDC to
> > a shiny new Heimdal KDC in such a way that the Heimdal KDC can then
> > actually use the information to create or validate tickets?
> I don't use KDCs for anything but testing my products so take what I
> say with a grain of salt but if you're using "standard" keytab files
> my understanding is that Heimdal and MIT are completely compatible. You
> may want to make sure Heimdal is configured to support all the enctypes
> used in your current files but otherwise I would just try to create a
> standard Heimdal KDC, import the keytab with ktutil and go.

I think David was more after the information about the user migration,
which I understand their are scripts/tools for, as part of the hprop
replication system.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

This is a digitally signed message part