So our administration has decided they want to change our edu domain, which means with current edu policy we lose the old one 8-/. We're currently looking at how best to handle this nightmare (and thanking our lucky stars we're not going to be the ones that have to tell faculty the email address they've had for 30 years will stop working). Right now, we're planning on standing up separate Kerberos servers for the new realm alongside our existing ones. For our LDAP servers, we're going to do the same thing, and given LDAP just stores a SSHA hash of the password, we're going to be able to bring along the passwords and cutover users to the new LDAP servers for the new domain with no hassle.
I'm not sure that we can do that for Kerberos though. We are currently using the LDAP backend, so it would be pretty trivial to rip through it and do a s/old.edu/new.edu/g like we plan to with LDAP, but I seem to recall that Kerberos uses the realm as part of the password hash? Which would make all of the passwords invalid and require users to update their password via our identity management portal before they would be able to use services authenticated by the new Kerberos realm. Am I misremembering? Is there any way to copy an existing Kerberos database for realm A to realm B without requiring resetting passwords? Thanks much. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
