[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to migrate from MIT krb5 -> Heimdal?

To: Howard Chu <hyc@highlandsun.com>
Subject: Re: How to migrate from MIT krb5 -> Heimdal?
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Mon, 5 Feb 2007 16:10:47 -0800
Cc: Michael B Allen <mba2000@ioplex.com>, David Wolfskill <dhw@mail-abuse.org>, heimdal-discuss@sics.se
In-Reply-To: <45B6CDCB.6010203@highlandsun.com>
References: <20070123221434.GB13100@catmint.mail-abuse.org> <20070123210446.2e909d28.mba2000@ioplex.com> <45B6CDCB.6010203@highlandsun.com>
Sender: owner-heimdal-discuss@sics.se

On Jan 23, 2007, at 7:08 PM, Howard Chu wrote:

> Michael B Allen wrote:
>> On Tue, 23 Jan 2007 14:14:34 -0800
>> David Wolfskill <dhw@mail-abuse.org> wrote:
>>
>>
>>> Is there a way to copy the salient information from the MIT krb5  
>>> KDC to
>>> a shiny new Heimdal KDC in such a way that the Heimdal KDC can then
>>> actually use the information to create or validate tickets?
>>>
>>
>> I don't use KDCs for anything but testing my products so take what I
>> say with a grain of salt but if you're using "standard" keytab files
>> my understanding is that Heimdal and MIT are completely  
>> compatible. You
>> may want to make sure Heimdal is configured to support all the  
>> enctypes
>> used in your current files but otherwise I would just try to create a
>> standard Heimdal KDC, import the keytab with ktutil and go.
>
> The KDC database is not stored in keytab files. You need to use  
> "kdb5_util dump" on the MIT KDC to get a dump file and then import  
> that into Heimdal.  Search the archives of this mailing list for  
> details, it's been discussed many times before.

As he says, it's been discussed before, and a search should turn up  
something.  There could be issues with which version of the MIT dump  
file format is compatible with Heimdal.

The basic procedure would be to get a copy of your MIT dump file on  
your new Heimdal server.  Then you do a

hprop --source=mit-dump --database=<dump file> \
	--decrypt --master-key=<MIT master key file> \
	--stdout | \
hpropd --stdin

I expect that will leave the database decrypted (though hpropd might  
re-encrypt it).  If so, you may need to do a:

hprop --encrypt --master-key=<Heimdal master key file> --stdout |  
hpropd --stdin

to get it properly encrypted.  Note that MIT uses a funny, special  
format for their master key file.  Heimdal supports that format, but  
it also supports the standard keytab file format, and it supports  
multiple master keys for decryption (so you could upgrade master keys  
gradually).

I don't think MIT supports upgrading master keys yet.

A last item to remember:  you can import MIT databases into Heimdal.   
Nobody's ever written the code to import Heimdal databases into MIT.   
Make sure you want to do this before you actually do.  ;-)
------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

Prev by Date: Re: heimdal mingw woes
Next by Date: memory leak in krb5_rd_cred
Prev by thread: de now offers SmartSearch featuresThe German Internet directory Web.
Next by thread: memory leak in krb5_rd_cred
Index(es):
- Date
- Thread