Next: Acknowledgments, Previous: Programming with Kerberos, Up: Top [Contents]
hpropd can read MIT Kerberos dump in "kdb5_util load_dump version 5" or version 6 format. Simply run: ‘kdb5_util dump’.
To load the MIT Kerberos dump file, use the following command:
‘/usr/heimdal/libexec/hprop --database=dump-file --master-key=/var/db/krb5kdc/mit_stash --source=mit-dump --decrypt --stdout | /usr/heimdal/libexec/hpropd --stdin’
kadmin can dump in MIT Kerberos format. Simply run: ‘kadmin -l dump -f MIT’.
The Heimdal KDC and kadmind, as well as kadmin -l and the libkadm5srv library can read and write MIT KDBs, and can read MIT stash files. To build with KDB support requires having a standalone libdb from MIT Kerberos and associated headers, then you can configure Heildal as follows:
‘./configure ... CPPFLAGS=-I/path-to-mit-db-headers LDFLAGS="-L/path-to-mit-db-object -Wl,-rpath -Wl,/path-to-mit-db-object" LDLIBS=-ldb’
At this time support for MIT Kerberos KDB dump/load format and direct KDB access does not include support for PKINIT, or K/M key history, constrained delegation, and other advanced features.
Heimdal supports using multiple HDBs at once, with all write going to just one HDB. This allows for entries to be moved to a native HDB from an MIT KDB over time as those entries are changed. Or you can use hprop and hpropd.
When migrating from a Kerberos 4 KDC.
‘hprop -n --source=<NNN>| hpropd -n’
Replace <NNN> with whatever source you have, like krb4-db or krb4-dump.
Make sure that all things that you use works for you.
Find a sample population of your users and check what programs they use, you can also check the kdc-log to check what ticket are checked out.
Things that might be hard to get away is old programs with support for Kerberos 4. Example applications are old Eudora installations using KPOP, and Zephyr. Eudora can use the Kerberos 4 kerberos in the Heimdal kdc.
Next: Acknowledgments, Previous: Programming with Kerberos, Up: Top [Contents]