oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
Files
131d90c41442d42daed609b3bfcade6c169aa46a
heimdal/doc/migration.texi
Nicolas Williams 0878a568f9 doc: Fix Texinfo docs; remove krb4 references
2022-03-16 17:50:33 -05:00

70 lines
2.3 KiB
Plaintext
Raw Blame History

@c $Id$
@node Migration, Acknowledgments, Programming with Kerberos, Top
@chapter Migration
@section Migration from MIT Kerberos to Heimdal
hpropd can read MIT Kerberos dump in "kdb5_util load_dump version 5" or
version 6 format. Simply run:
@samp{kdb5_util dump}.
To load the MIT Kerberos dump file, use the following command:
@samp{/usr/heimdal/libexec/hprop --database=dump-file --master-key=/var/db/krb5kdc/mit_stash --source=mit-dump --decrypt --stdout | /usr/heimdal/libexec/hpropd --stdin}
kadmin can dump in MIT Kerberos format. Simply run:
@samp{kadmin -l dump -f MIT}.
There are some limitations in this functionality. Users should check
the input dump and a native dump after loading to check for
differences.
The Heimdal KDC and kadmind, as well as kadmin -l and the libkadm5srv
library can read and write MIT KDBs, and can read MIT stash files. To
build with KDB support requires having a standalone libdb from MIT
Kerberos and associated headers, then you can configure Heildal as
follows:
@samp{./configure ... CPPFLAGS=-I/path-to-mit-db-headers LDFLAGS="-L/path-to-mit-db-object -Wl,-rpath -Wl,/path-to-mit-db-object" LDLIBS=-ldb}
At this time support for MIT Kerberos KDB dump/load format and direct
KDB access does not include support for PKINIT, or K/M key history,
constrained delegation, and other advanced features.
Heimdal supports using multiple HDBs at once, with all write going to
just one HDB. This allows for entries to be moved to a native HDB from
an MIT KDB over time as those entries are changed. Or you can use hprop
and hpropd.
@section General issues
@section Order in what to do things:
@itemize @bullet
@item Convert the database, check all principals that hprop complains
about.
@samp{hprop -n --source=<NNN>| hpropd -n}
Replace <NNN> with whatever source you have, like krb4-db or krb4-dump.
@item Run a Kerberos 5 slave for a while.
@c XXX Add you slave first to your kdc list in you kdc.
@item Figure out if it does everything you want it to.
Make sure that all things that you use works for you.
@item Let a small number of controlled users use Kerberos 5 tools.
Find a sample population of your users and check what programs they use,
you can also check the kdc-log to check what ticket are checked out.
@item Burn the bridge and change the master.
@item Let all users use the Kerberos 5 tools by default.
@end itemize
Reference in New Issue View Git Blame Copy Permalink