1@c Id 2@c $NetBSD: migration.texi,v 1.2 2017/01/28 21:31:44 christos Exp $ 3 4@node Migration, Acknowledgments, Programming with Kerberos, Top 5@chapter Migration 6 7@section Migration from MIT Kerberos to Heimdal 8 9hpropd can read MIT Kerberos dump in "kdb5_util load_dump version 5" or 10version 6 format. Simply run: 11@samp{kdb5_util dump}. 12 13To load the MIT Kerberos dump file, use the following command: 14 15@samp{/usr/heimdal/libexec/hprop --database=dump-file --master-key=/var/db/krb5kdc/mit_stash --source=mit-dump --decrypt --stdout | /usr/heimdal/libexec/hpropd --stdin} 16 17kadmin can dump in MIT Kerberos format. Simply run: 18@samp{kadmin -l dump -f MIT}. 19 20The Heimdal KDC and kadmind, as well as kadmin -l and the libkadm5srv 21library can read and write MIT KDBs, and can read MIT stash files. To 22build with KDB support requires having a standalone libdb from MIT 23Kerberos and associated headers, then you can configure Heildal as 24follows: 25 26@samp{./configure ... CPPFLAGS=-I/path-to-mit-db-headers LDFLAGS="-L/path-to-mit-db-object -Wl,-rpath -Wl,/path-to-mit-db-object" LDLIBS=-ldb} 27 28At this time support for MIT Kerberos KDB dump/load format and direct 29KDB access does not include support for PKINIT, or K/M key history, 30constrained delegation, and other advanced features. 31 32Heimdal supports using multiple HDBs at once, with all write going to 33just one HDB. This allows for entries to be moved to a native HDB from 34an MIT KDB over time as those entries are changed. Or you can use hprop 35and hpropd. 36 37@section General issues 38 39When migrating from a Kerberos 4 KDC. 40 41@section Order in what to do things: 42 43@itemize @bullet 44 45@item Convert the database, check all principals that hprop complains 46about. 47 48@samp{hprop -n --source=<NNN>| hpropd -n} 49 50Replace <NNN> with whatever source you have, like krb4-db or krb4-dump. 51 52@item Run a Kerberos 5 slave for a while. 53 54@c XXX Add you slave first to your kdc list in you kdc. 55 56@item Figure out if it does everything you want it to. 57 58Make sure that all things that you use works for you. 59 60@item Let a small number of controlled users use Kerberos 5 tools. 61 62Find a sample population of your users and check what programs they use, 63you can also check the kdc-log to check what ticket are checked out. 64 65@item Burn the bridge and change the master. 66@item Let all users use the Kerberos 5 tools by default. 67@item Turn off services that do not need Kerberos 4 authentication. 68 69Things that might be hard to get away is old programs with support for 70Kerberos 4. Example applications are old Eudora installations using 71KPOP, and Zephyr. Eudora can use the Kerberos 4 kerberos in the Heimdal 72kdc. 73 74@end itemize 75