On Tue, 2007-01-23 at 21:04 -0500, Michael B Allen wrote: > On Tue, 23 Jan 2007 14:14:34 -0800 > David Wolfskill <dhw@mail-abuse.org> wrote: > > > We are currently using Kerberos (MIT -- possibly "customized" -- on the > > master & slave servers; MIT on a few older client machines; Heimdal on > > the newer client machines) in a predominantly FreeBSD environment. > > > > This arrangement (where the master & slave KDC run MIT while the > > bulk of the clients run Heimdal) has been working as long as we do > > such things as run "kadmin" on one of the older client machines > > that has MIT krb5 installed, but we need to replace the client > > machine where we run the "kadmin" stuff with a newer one, and we > > would prefer to just use the plain "vanilla" Heimdal Kerberos 5 > > implementation that we get "for free" with FreeBSD. > > > > We have no need whatsoever to have any concerns about interoperability > > with other Kerberos implementations, whether Kerberos 4 or from > > non-FreeBSD environments. > > > > Is there a way to copy the salient information from the MIT krb5 KDC to > > a shiny new Heimdal KDC in such a way that the Heimdal KDC can then > > actually use the information to create or validate tickets? > > I don't use KDCs for anything but testing my products so take what I > say with a grain of salt but if you're using "standard" keytab files > my understanding is that Heimdal and MIT are completely compatible. You > may want to make sure Heimdal is configured to support all the enctypes > used in your current files but otherwise I would just try to create a > standard Heimdal KDC, import the keytab with ktutil and go. I think David was more after the information about the user migration, which I understand their are scripts/tools for, as part of the hprop replication system. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com
This is a digitally signed message part