On Mon, 2011-08-29 at 15:22 +0200, Andreas Ntaflos wrote: [..]
> Simo, > > Thank you for the hint, I was indeed able to use kdb5_util to dump the > old database and restore it into the LDAP backend, after some initial > problems. > > Here's what I did: > > * Dump the current database: kdb5_util dump kdb5-current.dump > * Update /etc/krb5.conf to reflect the LDAP backend settings (I used > [1] as guide) > * Backup /etc/krb5kdc, especially the stash (/etc/krb5kdc/stash) > containing the master key > * Create a new realm using kdb5_ldap_util as per [1], i.e. > "kdb5_ldap_util create" > * This creates a new master key and stash that will have to be > replaced by the old stash after importing the database. > * Create the stash for the service object as per [1], i.e. > "kdb5_ldap_util stashsrvpw" > * Load the database dump: kdb5_util load -update kdb5-current.dump > * Replace the newly created master key stash (/etc/krb5kdc/stash) with > the backup > * Restart the KDC and admin server > > The database, database dump and master key obviously are very tightly > coupled and creating a new realm creates a new master key. Is there > another way this procedure should have been done, one that doesn't > require manually copying key stashes around? During dump you can convert the db to use a different hash file. But that's possible only at dump apparently. So you'd have to change order of operations somewhat. I think there is also the option to tell kdb5_ldap_util to use an existing stash file when you create the db, but I am not 100% sure, it's been some time. > Anyway, this seems to be working fine so far, thanks again! Glad to hear that. Simo. -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
