I am not sure how compatible the heimdahl and mit kerberos dump/load
programs are. I suspect they can be made to work.

In a nutshell, try the following.
1. Dump the kerberos database on your MIT master to a file, you do this
with dump subcommand of kdb5_util.
2. Build your shiny new Heimdahl kdc, with the same name, kerberos realm
and database password as your old MIT master kdc.
3. Load the flat file from 1 into your shiny new Heimdahl database. You
will have to research how to do this, There may be a common format the
MIT dump and the Heimdahl load use, check your man pages and Google.
4. Test that kadmin and kerberos change password work on the new master.
5. Swap the new master for the old master.
6 Test database propagation to the slaves still work. You may have to,
or decide to, convert the slaves first in which case you modify this
task list a little.
7. Test that normal users can authenticate themselves.

If all goes well you have done it.

I hope this helps,


David Wolfskill wrote:
> We are currently using Kerberos (MIT -- possibly "customized" -- on the
> master & slave servers; MIT on a few older client machines; Heimdal on
> the newer client machines) in a predominantly FreeBSD environment.
> This arrangement (where the master & slave KDC run MIT while the
> bulk of the clients run Heimdal) has been working as long as we do
> such things as run "kadmin" on one of the older client machines
> that has MIT krb5 installed, but we need to replace the client
> machine where we run the "kadmin" stuff with a newer one, and we
> would prefer to just use the plain "vanilla" Heimdal Kerberos 5
> implementation that we get "for free" with FreeBSD.
> We have no need whatsoever to have any concerns about interoperability
> with other Kerberos implementations, whether Kerberos 4 or from
> non-FreeBSD environments.
> Is there a way to copy the salient information from the MIT krb5 KDC to
> a shiny new Heimdal KDC in such a way that the Heimdal KDC can then
> actually use the information to create or validate tickets?
> Alternatively, where might I look for such information?
> [I am sending a separate copy of this message to the
> heimdal-discuss@sics.se list.]
> Thanks!
> Peace,
> david
> ------------------------------------------------------------------------
> [safeTgram (optim1) receive status: NOT encrypted, NOT signed.]
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

Kerberos mailing list Kerberos@mit.edu