On 06/23/2014 04:20 PM, Paul B. Henson wrote: > Am I misremembering? Is there any way to copy an existing Kerberos database > for realm A to realm B without requiring resetting passwords?
It's possible in theory, but we don't currently provide tooling for it. The problems I'm aware of include: 1. As you noted, the default salt of a principal includes the realm name. To rename a principal entry with a password-based key, you have to modify the key data of that principal to include an explicit salt. We provide a kadmin operation which does that for a single principal, but not for a whole realm. 2. The master key stash file (since 1.7) is a keytab file with the key filed under K/M@oldrealm. This has to be modified to have the key filed under K/M@newrealm. 3. krbtgt principal entries (local and cross-realm) need to have their second components renamed as well as their realm names. Cross-realm krbtgt principal entries need to be renamed in the foreign database as well as the local one. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
