diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:20:00 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:20:00 +0000 |
commit | 8daa83a594a2e98f39d764422bfbdbc62c9efd44 (patch) | |
tree | 4099e8021376c7d8c05bdf8503093d80e9c7bad0 /third_party/heimdal/doc/migration.texi | |
parent | Initial commit. (diff) | |
download | samba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.tar.xz samba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.zip |
Adding upstream version 2:4.20.0+dfsg.upstream/2%4.20.0+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'third_party/heimdal/doc/migration.texi')
-rw-r--r-- | third_party/heimdal/doc/migration.texi | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/third_party/heimdal/doc/migration.texi b/third_party/heimdal/doc/migration.texi new file mode 100644 index 0000000..7c3e1e7 --- /dev/null +++ b/third_party/heimdal/doc/migration.texi @@ -0,0 +1,69 @@ +@c $Id$ + +@node Migration, Acknowledgments, Programming with Kerberos, Top +@chapter Migration + +@section Migration from MIT Kerberos to Heimdal + +hpropd can read MIT Kerberos dump in "kdb5_util load_dump version 5" or +version 6 format. Simply run: +@samp{kdb5_util dump}. + +To load the MIT Kerberos dump file, use the following command: + +@samp{/usr/heimdal/libexec/hprop --database=dump-file --master-key=/var/db/krb5kdc/mit_stash --source=mit-dump --decrypt --stdout | /usr/heimdal/libexec/hpropd --stdin} + +kadmin can dump in MIT Kerberos format. Simply run: +@samp{kadmin -l dump -f MIT}. + +There are some limitations in this functionality. Users should check +the input dump and a native dump after loading to check for +differences. + +The Heimdal KDC and kadmind, as well as kadmin -l and the libkadm5srv +library can read and write MIT KDBs, and can read MIT stash files. To +build with KDB support requires having a standalone libdb from MIT +Kerberos and associated headers, then you can configure Heildal as +follows: + +@samp{./configure ... CPPFLAGS=-I/path-to-mit-db-headers LDFLAGS="-L/path-to-mit-db-object -Wl,-rpath -Wl,/path-to-mit-db-object" LDLIBS=-ldb} + +At this time support for MIT Kerberos KDB dump/load format and direct +KDB access does not include support for PKINIT, or K/M key history, +constrained delegation, and other advanced features. + +Heimdal supports using multiple HDBs at once, with all write going to +just one HDB. This allows for entries to be moved to a native HDB from +an MIT KDB over time as those entries are changed. Or you can use hprop +and hpropd. + +@section General issues + +@section Order in what to do things: + +@itemize @bullet + +@item Convert the database, check all principals that hprop complains +about. + +@samp{hprop -n --source=<NNN>| hpropd -n} + +Replace <NNN> with whatever source you have, like krb4-db or krb4-dump. + +@item Run a Kerberos 5 slave for a while. + +@c XXX Add you slave first to your kdc list in you kdc. + +@item Figure out if it does everything you want it to. + +Make sure that all things that you use works for you. + +@item Let a small number of controlled users use Kerberos 5 tools. + +Find a sample population of your users and check what programs they use, +you can also check the kdc-log to check what ticket are checked out. + +@item Burn the bridge and change the master. +@item Let all users use the Kerberos 5 tools by default. + +@end itemize |