As Ken points out it is the salt that will cause the problem. The default salt for DES is to use the realm and principal components concatenated with the password to generate a key. So if you change the realm, you either have to change the key, or store the salt that was used when the password was changed.
We had a situation similar to this when we wanted to convert from DCE to using an MIT KDC with a different realm. We wanted to copy the user keys so the user's would not need to change the passwords. We got this working, but never really used it. You are welcome to the code as an example. You could run through the data base, adding the current salt as KRB5_KDB_SALTTYPE_SPECIAL with the current realm name. Then when you change the realm name, all the existing entries would continue to use the old realm name for the salt. Note you must be using +requires_preauth. Colin Simpson wrote: > On Fri, 2006-02-03 at 08:17, Enrico.M.V.Fasanelliatl wrote: > >>>If it is necessary for these realms to have cross realm relationships >>>with any other realms in common or with each other, then one of the >>>realms must change its name. There is no procedure for changing the >>>name of a realm hosted by a MIT KDC. However, there is such a procedure >>>for Windows 2003 Active Directory. It is extremely painful but it is >>>possible. >> >>Hi Jeff, >> >>any pointer to the documentation on how to do this? >> >>Ciao, >> Enrico >> > > I presume he's referring to the domain renaming tool in W2003 server > which presumably will also rename the Kerberos Realm as it goes. > > http://support.microsoft.com/kb/819145/en-us > > Unfortunately in my case it won't help as the AD domain concerned is > part of a larger forest that I can't change. > > I must say it's quite a suprise that Windows can allow you this > flexibility but MIT Kerberos doesn't. Is it really impossible with MIT > Kerberos? > > Thanks > > Colin > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
