>First, I remember reading something about changing the realm name at one
>point. How much trouble would it be to implement this? Is there any way to
>do it other than by setting everyones password again? As well as the host
>principal's keys?
The important thing is that the principal is used as the salt for the
user password to convert it into the secret key. So TECHNICALLY all you
would need to change is the user passwords. However ... there is some
provision on the KDC for storing an alternate salt. You could rename
everyone and store the old principal name as the alternate salt. I don't
know anyone who's ever actually done this, though, so some piece may be
missing (for one, I don't believe the basic admin tools let you rename
a principal).
>Related to AFS, is there any way to have the kerberos realm be different
>than your afs cell name? I remember seeing something in aklog about this,
>but I wasn't really sure how it functioned. Additionally, if I do this, what
>happens with the server keys/etc. I suppose I could create a new afs service
>key and store it in KeyFile even though it has a completely different
>salt/realm than the previous one. Has anyone done anything like this?
Yes, that's actually not completely undocumented :-). Read
AFS_K5_NAME_CHANGE in the AFS-Kerberos 5 migration kit. There are
some warnings in that file .... but people actually use that, and that
code is known to work. (Mind you, the person who did that code said to
me later, "If I had known it was going to be this bad, I wouldn't have
done it", but it all does work (it's easier if you don't want to
maintain AFS salt compatibility). We use that here, and _if_ you
understand the limitations it works fairly well.
--Ken
