Migrating principals between realms

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Migrating principals between realms

Angel Kafazov
Hello,

I need to migrate principals from one kerberos server to another. Both
servers have different realms. Is this possible?

Angel
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Migrating principals between realms

Greg Hudson
On 12/12/2018 09:39 AM, Angel Kafazov wrote:> I need to migrate
principals from one kerberos server to another. Both
> servers have different realms. Is this possible?

It's tricky.  If a principal has a password-based key, by default the
key is salted with the concatenation of the realm and principal name,
like "ATHENA.MIT.EDUraeburn".  If you move the principal entry to the
new realm, the default salt changes and clients will compute the wrong key.

A workaround is to run kadmin's "renprinc" command on the principal
entry before migrating it, and then rename it back to what it was.
renprinc records the old default salt as an explicit salt in the
principal key data, effectively fixing its value so that the correct
salt will be presented to clients in the new realm.

I believe you will also need to use kdb5_util dump's "-mkey_convert"
option so that the principal key data will be encrypted in the master
key of the new realm.

This thread contains more details (but the use case was a full realm
rename, not migrating principal entries):

http://mailman.mit.edu/pipermail/kerberos/2014-June/019948.html
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos