1*ae771770SStanislav Sedov@c $Id$ 25e9cd1aeSAssar Westerlund 3adb0ddaeSAssar Westerlund@node Migration, Acknowledgments, Programming with Kerberos, Top 45e9cd1aeSAssar Westerlund@chapter Migration 55e9cd1aeSAssar Westerlund 6*ae771770SStanislav Sedov@section Migration from MIT Kerberos to Heimdal 7*ae771770SStanislav Sedov 8*ae771770SStanislav Sedovhpropd can read MIT Kerberos dump, the format is the same as used in 9*ae771770SStanislav Sedovmit-kerberos 1.0b7, and to dump that format use the following command: 10*ae771770SStanislav Sedov@samp{kdb5_util dump -b7}. 11*ae771770SStanislav Sedov 12*ae771770SStanislav SedovTo load the MIT Kerberos dump file, use the following command: 13*ae771770SStanislav Sedov 14*ae771770SStanislav Sedov@samp{/usr/heimdal/libexec/hprop --database=dump-file --master-key=/var/db/krb5kdc/mit_stash --source=mit-dump --decrypt --stdout | /usr/heimdal/libexec/hpropd --stdin} 15*ae771770SStanislav Sedov 165e9cd1aeSAssar Westerlund@section General issues 175e9cd1aeSAssar Westerlund 185e9cd1aeSAssar WesterlundWhen migrating from a Kerberos 4 KDC. 195e9cd1aeSAssar Westerlund 205e9cd1aeSAssar Westerlund@section Order in what to do things: 215e9cd1aeSAssar Westerlund 225e9cd1aeSAssar Westerlund@itemize @bullet 235e9cd1aeSAssar Westerlund 245e9cd1aeSAssar Westerlund@item Convert the database, check all principals that hprop complains 255e9cd1aeSAssar Westerlundabout. 265e9cd1aeSAssar Westerlund 275e9cd1aeSAssar Westerlund@samp{hprop -n --source=<NNN>| hpropd -n} 285e9cd1aeSAssar Westerlund 295e9cd1aeSAssar WesterlundReplace <NNN> with whatever source you have, like krb4-db or krb4-dump. 305e9cd1aeSAssar Westerlund 315e9cd1aeSAssar Westerlund@item Run a Kerberos 5 slave for a while. 325e9cd1aeSAssar Westerlund 335e9cd1aeSAssar Westerlund@c XXX Add you slave first to your kdc list in you kdc. 345e9cd1aeSAssar Westerlund 355e9cd1aeSAssar Westerlund@item Figure out if it does everything you want it to. 365e9cd1aeSAssar Westerlund 375e9cd1aeSAssar WesterlundMake sure that all things that you use works for you. 385e9cd1aeSAssar Westerlund 395e9cd1aeSAssar Westerlund@item Let a small number of controlled users use Kerberos 5 tools. 405e9cd1aeSAssar Westerlund 415e9cd1aeSAssar WesterlundFind a sample population of your users and check what programs they use, 425e9cd1aeSAssar Westerlundyou can also check the kdc-log to check what ticket are checked out. 435e9cd1aeSAssar Westerlund 445e9cd1aeSAssar Westerlund@item Burn the bridge and change the master. 455e9cd1aeSAssar Westerlund@item Let all users use the Kerberos 5 tools by default. 465e9cd1aeSAssar Westerlund@item Turn off services that do not need Kerberos 4 authentication. 475e9cd1aeSAssar Westerlund 485e9cd1aeSAssar WesterlundThings that might be hard to get away is old programs with support for 495e9cd1aeSAssar WesterlundKerberos 4. Example applications are old Eudora installations using 505e9cd1aeSAssar WesterlundKPOP, and Zephyr. Eudora can use the Kerberos 4 kerberos in the Heimdal 515e9cd1aeSAssar Westerlundkdc. 525e9cd1aeSAssar Westerlund 535e9cd1aeSAssar Westerlund@end itemize 54