Update MIT<->Heimdal migration documentation

2012-05-02 17:43:26 -05:00
parent 57f1545a46
commit 54fdd62c2b
1 changed files with 23 additions and 3 deletions
--- a/doc/migration.texi
+++ b/doc/migration.texi
@@ -5,14 +5,34 @@

@section Migration from MIT Kerberos to Heimdal

-hpropd can read MIT Kerberos dump, the format is the same as used in
-mit-kerberos 1.0b7, and to dump that format use the following command:
-@samp{kdb5_util dump -b7}.
+hpropd can read MIT Kerberos dump in "kdb5_util load_dump version 5" or
+version 6 format.  Simply run:
+@samp{kdb5_util dump}.

 To load the MIT Kerberos dump file, use the following command:

@samp{/usr/heimdal/libexec/hprop --database=dump-file --master-key=/var/db/krb5kdc/mit_stash --source=mit-dump --decrypt --stdout | /usr/heimdal/libexec/hpropd --stdin}

+kadmin can dump in MIT Kerberos format.  Simply run:
+@samp{kadmin -l dump -f MIT}.
+
+The Heimdal KDC and kadmind, as well as kadmin -l and the libkadm5srv
+library can read and write MIT KDBs, and can read MIT stash files.  To
+build with KDB support requires having a standalone libdb from MIT
+Kerberos and associated headers, then you can configure Heildal as
+follows:
+
+@samp{./configure ... CPPFLAGS=-I/path-to-mit-db-headers LDFLAGS="-L/path-to-mit-db-object -Wl,-rpath -Wl,/path-to-mit-db-object" LDLIBS=-ldb}
+
+At this time support for MIT Kerberos KDB dump/load format and direct
+KDB access does not include support for PKINIT, or K/M key history,
+constrained delegation, and other advanced features.
+
+Heimdal supports using multiple HDBs at once, with all write going to
+just one HDB.  This allows for entries to be moved to a native HDB from
+an MIT KDB over time as those entries are changed.  Or you can use hprop
+and hpropd.
+
@section General issues

 When migrating from a Kerberos 4 KDC.