I’ve done it with cross-realm principals so I needed to keep the realm intact.
I’m assuming, now, that *you* want to move [email protected] to [email protected] without changing the password. The standard password-string-to-key algorithm uses the realm name as salt in the algorithm, so that may not work if you’re naive about it. Assuming you’re running a version of Heimdal which saves the password salt in the text dump, then you should be able to simply change the realm in the principal name (column 1, ‘:’-delimited). Do NOT change the realm in the salt values in subsequent columns. This should do what you want as long as the clients respect the salt values supplied in the extra handshake. I wouldn’t guarantee that all clients will do so. If you’re running both realms from the same DB, then what others have said about the rename command applies. It will do the change I described above, and you can restore the original principal to keep both. If you’re using aliases, then note that aliases must be globally unique. If both principals are supposed to be kept in sync permanently, then I would consider a password quality plugin for the purpose. Aliases make me nervous, but maybe they shouldn’t. > On Sep 16, 2016, at 10:07 PM, Victor Sudakov <[email protected]> wrote: > > Henry B (Hank) Hotz, CISSP wrote: >>> I would like to copy some user principals from one realm to another >>> while retaining their keys/passwords. Which is the correct way to do >>> it a) within one multi-realm KDC b) between two KDCs? > >> If both are Heimdal, then I???ve done: >> >> kadmin -l dump --decrypt | grep ^principal >xfr.file >> kadmin -l merge xfr.file > > Yes, but the xfr.file will contain principals with realms appended, > but I want to copy principals into a different realm. > > Of course, I can use sed/awk to change the realm suffixes: > > kadmin -l dump -d | grep ^principal |\ > sed 's/OLD\.REALM/NEW.REALM/' >xfr.file > > but are you sure the keys don't depend somehow on those suffixes > (maybe hashed realm suffixes, I dunno). > > > -- > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > sip:[email protected] Personal email. [email protected]
