[31058] in Kerberos
Migrating from 1 Kerberos Realm to another,
daemon@ATHENA.MIT.EDU (Jr Aquino)
Mon May 4 15:18:20 2009
X-Barracuda-Envelope-From: JR.Aquino@citrixonline.com
Message-ID: <069268BF-7FB7-400A-8BED-A7AA25BA6426@citrixonline.com>
From: Jr Aquino <jr.aquino@citrixonline.com>
To: <kerberos@mit.edu>
MIME-Version: 1.0 (Apple Message framework v930.3)
Date: Mon, 4 May 2009 12:17:51 -0700
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I am attempting to execute a migration from an older Krb5 system to a
new Krb5 - eDirectory system. (2 different KDC's)
I am having trouble determining the best option for the clients to
respect the new realm.
Is it possible to have multiple krb5 Realms within the same DNS Domain
and have the clients respect the difference?
So far, it appears that I have the following options:
0. Change the DNS Domain name suffix for newly migrated hosts.
1. Create/Designate hierarchical DNS Sub-domains, migrate each system
in each sub-domain in bulk. <- Add lines to every client krb5.conf to
recognize the split.
2. Add thousands of lines to every client's krb5.conf file to map
every single migrated host to the new realm.
3. Use dns_lookup_realm in the clients krb5.conf file <This appears to
be very broken and documented on a few mailing lists>
Can anyone confirm this list is complete, or suggest an alternative
solution to migrate the hosts while allowing the clients to respect
both Realms simultaneously?
Jr Aquino | Information Security Engineer
Citrix Online Division
Citrix Systems, Inc.
6500 Hollister Avenue
Goleta, CA 93117 USA
www.citrixonline.com
Desk: 805-690-3478
Email: jr.aquino@citrixonline.com
www.gotomypc.com | Access Your PC from Anywhere
www.gotomeeting.com | Online Meetings Made Easy
www.gotoassist.com | Remote Support Made Easy
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
