have you looked at using aliases?
in hemdal you can create aliases for principals as other principals
even in other realms.
it works well with a few exceptions.
1) you can only use kpasswd on the original principal or you get an error
2) kadmin has some order of operations issues with it if you use an
alias as an admin principal.
there were also 1 or 2 other weird quarks i found with it too but all
thing considered when I've worked in environment with multiple realms,
and it means that the users only have to change their password in 1
that said there are usually other ways to handle this such as trusts
and cpaths which you should probably consider first.

On Mon, Sep 19, 2016 at 11:45 AM, Love Hörnquist Åstrand <l...@kth.se> wrote:
>   you need to use rename inside kadmin, so import w/o the sed and
>   the rename.  This makes sure the salt is updated, your sed
>   statement doesn't do that.
> This won't work withing a multi-realm KDC because I need to copy, not
> rename.
> your sed trick will only work for keys not salted with principal. If you
> have principal salted keys (default) If you don’t want to use rename, you
> must unpack the key and set a the default salt type (i.e. that rename does).
> Love

Reply via email to