summaryrefslogtreecommitdiff
path: root/source4/heimdal/doc/migration.texi
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal/doc/migration.texi')
-rw-r--r--source4/heimdal/doc/migration.texi73
1 files changed, 73 insertions, 0 deletions
diff --git a/source4/heimdal/doc/migration.texi b/source4/heimdal/doc/migration.texi
new file mode 100644
index 00000000000..2fa7ede597a
--- /dev/null
+++ b/source4/heimdal/doc/migration.texi
@@ -0,0 +1,73 @@
+@c $Id$
+
+@node Migration, Acknowledgments, Programming with Kerberos, Top
+@chapter Migration
+
+@section Migration from MIT Kerberos to Heimdal
+
+hpropd can read MIT Kerberos dump in "kdb5_util load_dump version 5" or
+version 6 format. Simply run:
+@samp{kdb5_util dump}.
+
+To load the MIT Kerberos dump file, use the following command:
+
+@samp{/usr/heimdal/libexec/hprop --database=dump-file --master-key=/var/db/krb5kdc/mit_stash --source=mit-dump --decrypt --stdout | /usr/heimdal/libexec/hpropd --stdin}
+
+kadmin can dump in MIT Kerberos format. Simply run:
+@samp{kadmin -l dump -f MIT}.
+
+The Heimdal KDC and kadmind, as well as kadmin -l and the libkadm5srv
+library can read and write MIT KDBs, and can read MIT stash files. To
+build with KDB support requires having a standalone libdb from MIT
+Kerberos and associated headers, then you can configure Heildal as
+follows:
+
+@samp{./configure ... CPPFLAGS=-I/path-to-mit-db-headers LDFLAGS="-L/path-to-mit-db-object -Wl,-rpath -Wl,/path-to-mit-db-object" LDLIBS=-ldb}
+
+At this time support for MIT Kerberos KDB dump/load format and direct
+KDB access does not include support for PKINIT, or K/M key history,
+constrained delegation, and other advanced features.
+
+Heimdal supports using multiple HDBs at once, with all write going to
+just one HDB. This allows for entries to be moved to a native HDB from
+an MIT KDB over time as those entries are changed. Or you can use hprop
+and hpropd.
+
+@section General issues
+
+When migrating from a Kerberos 4 KDC.
+
+@section Order in what to do things:
+
+@itemize @bullet
+
+@item Convert the database, check all principals that hprop complains
+about.
+
+@samp{hprop -n --source=<NNN>| hpropd -n}
+
+Replace <NNN> with whatever source you have, like krb4-db or krb4-dump.
+
+@item Run a Kerberos 5 slave for a while.
+
+@c XXX Add you slave first to your kdc list in you kdc.
+
+@item Figure out if it does everything you want it to.
+
+Make sure that all things that you use works for you.
+
+@item Let a small number of controlled users use Kerberos 5 tools.
+
+Find a sample population of your users and check what programs they use,
+you can also check the kdc-log to check what ticket are checked out.
+
+@item Burn the bridge and change the master.
+@item Let all users use the Kerberos 5 tools by default.
+@item Turn off services that do not need Kerberos 4 authentication.
+
+Things that might be hard to get away is old programs with support for
+Kerberos 4. Example applications are old Eudora installations using
+KPOP, and Zephyr. Eudora can use the Kerberos 4 kerberos in the Heimdal
+kdc.
+
+@end itemize
View Lorry Controller Status