Ken Hornstein wrote: > I believe Windows manages this by storing the actual plaintext passwords, > and thus can simply generate new keys from the passwords with the correct > salt. If you have a regular password expiration policy, you could "cheat" > a bit and store the plaintext passwords. Or even better, during the > password change you could store the "correct" salt. Either one of these > solutions requires writing some code ... and a password expiration policy.
This is part of what Windows does. Active Directory in Windows 2003 allows you to provide the KDC multiple names. This allows you to make the transition without requiring a flag day. You start the process by associating an alias for the new domain name. Then you perform a transformation on the database for all of the client machines. Then the alias and the official name are swapped. You then run this way for as long as you need to in order for the client machines to contact active directory and have a client machine rename operation, which includes a reboot, to occur. Finally, you delete the alias to the old domain name. Jeffrey Altman ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
