mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
ef28247f3b
This commit won't compile on it's own, as we need to fix the build system to cope in the next commit. The purpose of this commit is to update to a new lorikeet-heimdal tree that includes the previous two patches and is rebased on a current Heimdal master snapshot. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
70 lines
2.3 KiB
Plaintext
70 lines
2.3 KiB
Plaintext
@c $Id$
|
|
|
|
@node Migration, Acknowledgments, Programming with Kerberos, Top
|
|
@chapter Migration
|
|
|
|
@section Migration from MIT Kerberos to Heimdal
|
|
|
|
hpropd can read MIT Kerberos dump in "kdb5_util load_dump version 5" or
|
|
version 6 format. Simply run:
|
|
@samp{kdb5_util dump}.
|
|
|
|
To load the MIT Kerberos dump file, use the following command:
|
|
|
|
@samp{/usr/heimdal/libexec/hprop --database=dump-file --master-key=/var/db/krb5kdc/mit_stash --source=mit-dump --decrypt --stdout | /usr/heimdal/libexec/hpropd --stdin}
|
|
|
|
kadmin can dump in MIT Kerberos format. Simply run:
|
|
@samp{kadmin -l dump -f MIT}.
|
|
|
|
There are some limitations in this functionality. Users should check
|
|
the input dump and a native dump after loading to check for
|
|
differences.
|
|
|
|
The Heimdal KDC and kadmind, as well as kadmin -l and the libkadm5srv
|
|
library can read and write MIT KDBs, and can read MIT stash files. To
|
|
build with KDB support requires having a standalone libdb from MIT
|
|
Kerberos and associated headers, then you can configure Heildal as
|
|
follows:
|
|
|
|
@samp{./configure ... CPPFLAGS=-I/path-to-mit-db-headers LDFLAGS="-L/path-to-mit-db-object -Wl,-rpath -Wl,/path-to-mit-db-object" LDLIBS=-ldb}
|
|
|
|
At this time support for MIT Kerberos KDB dump/load format and direct
|
|
KDB access does not include support for PKINIT, or K/M key history,
|
|
constrained delegation, and other advanced features.
|
|
|
|
Heimdal supports using multiple HDBs at once, with all write going to
|
|
just one HDB. This allows for entries to be moved to a native HDB from
|
|
an MIT KDB over time as those entries are changed. Or you can use hprop
|
|
and hpropd.
|
|
|
|
@section General issues
|
|
|
|
@section Order in what to do things:
|
|
|
|
@itemize @bullet
|
|
|
|
@item Convert the database, check all principals that hprop complains
|
|
about.
|
|
|
|
@samp{hprop -n --source=<NNN>| hpropd -n}
|
|
|
|
Replace <NNN> with whatever source you have, like krb4-db or krb4-dump.
|
|
|
|
@item Run a Kerberos 5 slave for a while.
|
|
|
|
@c XXX Add you slave first to your kdc list in you kdc.
|
|
|
|
@item Figure out if it does everything you want it to.
|
|
|
|
Make sure that all things that you use works for you.
|
|
|
|
@item Let a small number of controlled users use Kerberos 5 tools.
|
|
|
|
Find a sample population of your users and check what programs they use,
|
|
you can also check the kdc-log to check what ticket are checked out.
|
|
|
|
@item Burn the bridge and change the master.
|
|
@item Let all users use the Kerberos 5 tools by default.
|
|
|
|
@end itemize
|