> From: Greg Hudson > Sent: Tuesday, June 24, 2014 7:47 PM > > Sorry to be unclear; I was referring to the kadmin renprinc command. In > addition to renaming the principal, it adds an explicit salt.
Ah, I see; there is no "set salt" command per se, but it's a side effect of the rename command. So, when a principal is renamed, an explicit salt is configured specifying what the default salt would have been before the rename. When the password for that principal is later changed, does it revert back to the default salt? So to copy realm A to create a new realm B with the existing user base, able to use existing passwords, it seems one would: * bring up a new server for realm A * isolate it so it no longer replicates with the existing realm A servers * rename all of the principals to <name>-newrealm, then back to <name> to store the salt * shutdown the new server, dump the LDAP backend, replace A with B, load the new LDIF * update kadmin/kdc configuration * start new server * fiddle with keytabs etc * success? > As it turns out, I know someone who had to rename a realm a few weeks > ago, and after resolving the above issues reported success. Sweet. I'll have to test this out and see how it goes. > In case it wasn't obvious, I should also have mentioned that any > references to principal names in ACL files (or the equivalent) must be > updated, and all server keytabs must be re-provisioned. This is > probably the hardest part in a large-scale deployment. (In some cases > server keytabs might continue to work, but I wouldn't count on it.) In my case, as I'm not actually renaming an existing realm but trying to stand up a new one alongside of the existing one pre-populated with the existing principals, it should be a lot simpler as there will be no flag day where everything will have to transition from realm A to realm B, we will have about a year to migrate things in a hopefully controlled fashion :). Thanks for the help. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
