On 12/12/2018 09:39 AM, Angel Kafazov wrote:> I need to migrate principals from one kerberos server to another. Both > servers have different realms. Is this possible?
It's tricky. If a principal has a password-based key, by default the key is salted with the concatenation of the realm and principal name, like "ATHENA.MIT.EDUraeburn". If you move the principal entry to the new realm, the default salt changes and clients will compute the wrong key. A workaround is to run kadmin's "renprinc" command on the principal entry before migrating it, and then rename it back to what it was. renprinc records the old default salt as an explicit salt in the principal key data, effectively fixing its value so that the correct salt will be presented to clients in the new realm. I believe you will also need to use kdb5_util dump's "-mkey_convert" option so that the principal key data will be encrypted in the master key of the new realm. This thread contains more details (but the use case was a full realm rename, not migrating principal entries): http://mailman.mit.edu/pipermail/kerberos/2014-June/019948.html ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
