Bjørn Tore Sund <[email protected]> writes: > On 6/11/11 8:46 AM, Richard E. Silverman wrote: >> Bjørn Tore Sund<[email protected]> writes: >> >>> Hi, >>> >>> We have been running our KDCs on a dual Sun Solaris 10 setup for five >>> years, currently at MIT Kerberos 1.6. The hardware is out of support, Sun >>> Solaris is going away by local policy and so we need to migrate to a dual >>> RHEL 6 setup with whatever version of MIT Kerberos is current from rpms on >>> that platform - currently 1.8.2. >>> >>> After googling for a while I thought I'd ask here - is there a best >>> practices document we can use to plan the procedure? >> >> One suggestion: if you're using file-based storage for the principal >> database, do a dump and reload rather than try to copy the binary files >> over; they will likely not be compatible. On the old host: >> >> # dump the database to the file kerberos.db >> # >> $ sudo kdb5_util -r REALM dump kerberos.db >> >> ... and on the new host: >> >> # initialize a new database >> # >> $ sudo kdb5_util -r REALM create -s >> >> # and load your principal data into it >> # >> $ sudo kdb5_util -r REALM load kerberos.db > > Thanks. Going thoroughly through > http://web.mit.edu/kerberos/krb5-1.8/krb5-1.8.3/doc/krb5install.html we > found an "Upgrading existing Kerberos V5 installations" section and other > useful stuff giving us that procedure. > > Main challenge now is that we've discovered we need AD to go up from W2K3 > to W2K8 before we can make the Unix-side switch or we break cross-realm > due to encryption incompatibility.
Actually, no: there's a registry key you can set on the W2K8 machines which allows them to use the older ciphers, including the DES inter-realm keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\parameters\SupportedEncryptionTypes = DWORD 0x7fffffff - Richard ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
