Home / server / Questions / 1000332
In Process
stevegt
Asked: 2020-01-25 18:12:43 +0800 CST

Migrating from Heimdal to MIT Kerberos

  • 772

Does anyone know of any existing documentation, HOWTO, SE question, or even a blog post that shows an example Kerberos database migration from Heimdal to MIT KDCs? Has anyone done this operation themselves, and if so, did you discover any pitfalls, or did it just work?

H5l.org is down, so I'm digging around on wayback; I see the MIT to Heimdal migration docs that used to always be there -- re-reading them now, they imply that you should be able to go both ways, so there's hope: http://web.archive.org/web/20160610142834/http://www.h5l.org/manual/HEAD/info/heimdal/Migration.html#Migration

kerberos mitkerberos heimdal

1 Answers

  1. Here's what I have so far:

    1. Dump the Heimdal database. According to the old Heimdal docs, it should be possible to simply dump the db in MIT format using kadmin -l dump -f MIT. But the build of Heimdal I'm dealing with doesn't support the MIT option, so I had to first dump the db in the default format:
    # on old Heimdal KDC:
kadmin -l dump > /tmp/h5l.dump
    1. I then used NORDUnet's Dockerfiles to build temporary Heimdal and MIT KDCs using docker:
    # on e.g. laptop:
cd /tmp
git clone [email protected]:NORDUnet/krb5-docker.git
cd krb5-docker
docker build -f Dockerfile.heimdal -t heimdal-alpine .
docker build -f Dockerfile.mit -t krb5-alpine .
    1. Now we can import that Heimdal default file format and export as MIT:
    # laptop:
mkdir /tmp/k5
rsync -avz old-kdc:/tmp/h5l.dump /tmp/k5/
docker run --rm -it -v /tmp/k5:/tmp/k5 heimdal-alpine
docker ps # get container ID
docker exec -it b4e57b1bdb9f sh
# in heimdal-alpine container:
kadmin -l load /tmp/k5/h5l.dump
kadmin -l dump -f MIT /tmp/k5/mit.dump
    1. We should now have a good MIT-format dump file. To test this, I used the MIT container:
    # laptop
docker run --rm -it -v /tmp/k5:/tmp/k5 mit-alpine
docker ps # get container ID
docker exec -it 3721be560d8f sh
# in mit-alpine container:
kdb5_util load -verbose /tmp/k5/mit.dump

    This almost works. That "load" command exits with a zero return code, but a kdb5_util dump says No such entry in the database while retrieving master entry, with nothing on stdout. I'm sure I'm not starting the container(s) right, not getting their db initialized correctly, needing to do something with principals and/or keytabs. It's late, so I'm going to hit submit on this now and have another go at it next time I have a chance.

    • 1