mirror of
https://github.com/samba-team/samba.git
synced 2025-01-22 22:04:08 +03:00
7055827b8f
This makes it clearer that we always want to do heimdal changes via the lorikeet-heimdal repository. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Autobuild-User(master): Joseph Sutton <jsutton@samba.org> Autobuild-Date(master): Wed Jan 19 21:41:59 UTC 2022 on sn-devel-184
74 lines
2.5 KiB
Plaintext
74 lines
2.5 KiB
Plaintext
@c $Id$
|
|
|
|
@node Migration, Acknowledgments, Programming with Kerberos, Top
|
|
@chapter Migration
|
|
|
|
@section Migration from MIT Kerberos to Heimdal
|
|
|
|
hpropd can read MIT Kerberos dump in "kdb5_util load_dump version 5" or
|
|
version 6 format. Simply run:
|
|
@samp{kdb5_util dump}.
|
|
|
|
To load the MIT Kerberos dump file, use the following command:
|
|
|
|
@samp{/usr/heimdal/libexec/hprop --database=dump-file --master-key=/var/db/krb5kdc/mit_stash --source=mit-dump --decrypt --stdout | /usr/heimdal/libexec/hpropd --stdin}
|
|
|
|
kadmin can dump in MIT Kerberos format. Simply run:
|
|
@samp{kadmin -l dump -f MIT}.
|
|
|
|
The Heimdal KDC and kadmind, as well as kadmin -l and the libkadm5srv
|
|
library can read and write MIT KDBs, and can read MIT stash files. To
|
|
build with KDB support requires having a standalone libdb from MIT
|
|
Kerberos and associated headers, then you can configure Heildal as
|
|
follows:
|
|
|
|
@samp{./configure ... CPPFLAGS=-I/path-to-mit-db-headers LDFLAGS="-L/path-to-mit-db-object -Wl,-rpath -Wl,/path-to-mit-db-object" LDLIBS=-ldb}
|
|
|
|
At this time support for MIT Kerberos KDB dump/load format and direct
|
|
KDB access does not include support for PKINIT, or K/M key history,
|
|
constrained delegation, and other advanced features.
|
|
|
|
Heimdal supports using multiple HDBs at once, with all write going to
|
|
just one HDB. This allows for entries to be moved to a native HDB from
|
|
an MIT KDB over time as those entries are changed. Or you can use hprop
|
|
and hpropd.
|
|
|
|
@section General issues
|
|
|
|
When migrating from a Kerberos 4 KDC.
|
|
|
|
@section Order in what to do things:
|
|
|
|
@itemize @bullet
|
|
|
|
@item Convert the database, check all principals that hprop complains
|
|
about.
|
|
|
|
@samp{hprop -n --source=<NNN>| hpropd -n}
|
|
|
|
Replace <NNN> with whatever source you have, like krb4-db or krb4-dump.
|
|
|
|
@item Run a Kerberos 5 slave for a while.
|
|
|
|
@c XXX Add you slave first to your kdc list in you kdc.
|
|
|
|
@item Figure out if it does everything you want it to.
|
|
|
|
Make sure that all things that you use works for you.
|
|
|
|
@item Let a small number of controlled users use Kerberos 5 tools.
|
|
|
|
Find a sample population of your users and check what programs they use,
|
|
you can also check the kdc-log to check what ticket are checked out.
|
|
|
|
@item Burn the bridge and change the master.
|
|
@item Let all users use the Kerberos 5 tools by default.
|
|
@item Turn off services that do not need Kerberos 4 authentication.
|
|
|
|
Things that might be hard to get away is old programs with support for
|
|
Kerberos 4. Example applications are old Eudora installations using
|
|
KPOP, and Zephyr. Eudora can use the Kerberos 4 kerberos in the Heimdal
|
|
kdc.
|
|
|
|
@end itemize
|