1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
samba-mirror/third_party/heimdal/doc/migration.texi
Andrew Bartlett ef28247f3b third_party/heimdal: import lorikeet-heimdal-202210310104 (commit 0fc20ff4144973047e6aaaeb2fc8708bd75be222)
This commit won't compile on it's own, as we need to fix the build system
to cope in the next commit.

The purpose of this commit is to update to a new lorikeet-heimdal tree
that includes the previous two patches and is rebased on a current
Heimdal master snapshot.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-11-02 04:23:34 +00:00

70 lines
2.3 KiB
Plaintext

@c $Id$
@node Migration, Acknowledgments, Programming with Kerberos, Top
@chapter Migration
@section Migration from MIT Kerberos to Heimdal
hpropd can read MIT Kerberos dump in "kdb5_util load_dump version 5" or
version 6 format. Simply run:
@samp{kdb5_util dump}.
To load the MIT Kerberos dump file, use the following command:
@samp{/usr/heimdal/libexec/hprop --database=dump-file --master-key=/var/db/krb5kdc/mit_stash --source=mit-dump --decrypt --stdout | /usr/heimdal/libexec/hpropd --stdin}
kadmin can dump in MIT Kerberos format. Simply run:
@samp{kadmin -l dump -f MIT}.
There are some limitations in this functionality. Users should check
the input dump and a native dump after loading to check for
differences.
The Heimdal KDC and kadmind, as well as kadmin -l and the libkadm5srv
library can read and write MIT KDBs, and can read MIT stash files. To
build with KDB support requires having a standalone libdb from MIT
Kerberos and associated headers, then you can configure Heildal as
follows:
@samp{./configure ... CPPFLAGS=-I/path-to-mit-db-headers LDFLAGS="-L/path-to-mit-db-object -Wl,-rpath -Wl,/path-to-mit-db-object" LDLIBS=-ldb}
At this time support for MIT Kerberos KDB dump/load format and direct
KDB access does not include support for PKINIT, or K/M key history,
constrained delegation, and other advanced features.
Heimdal supports using multiple HDBs at once, with all write going to
just one HDB. This allows for entries to be moved to a native HDB from
an MIT KDB over time as those entries are changed. Or you can use hprop
and hpropd.
@section General issues
@section Order in what to do things:
@itemize @bullet
@item Convert the database, check all principals that hprop complains
about.
@samp{hprop -n --source=<NNN>| hpropd -n}
Replace <NNN> with whatever source you have, like krb4-db or krb4-dump.
@item Run a Kerberos 5 slave for a while.
@c XXX Add you slave first to your kdc list in you kdc.
@item Figure out if it does everything you want it to.
Make sure that all things that you use works for you.
@item Let a small number of controlled users use Kerberos 5 tools.
Find a sample population of your users and check what programs they use,
you can also check the kdc-log to check what ticket are checked out.
@item Burn the bridge and change the master.
@item Let all users use the Kerberos 5 tools by default.
@end itemize