Filter
Top Products
Migrating to a Newer Version of the Kerberos Server
Migrating from Kerberos Server Version 2.0 to Version 3.0
Chapter 3 47
Migrating from Kerberos Server Version 2.0 to
Version 3.0
If you want to use the Kerberos server with C-tree as the backend
database, migrate your existing Kerberos server to Kerberos server v3.0.
In the Kerberos server v2.x, the password policy was based on the
instance name to which the principal belongs. Starting with the
Kerberos server v3.0, the password policy is not based on the instance
name but is based on the policy subscribed to the principal, which
provides the flexibility for a principal to subscribe to any policy in the
/opt/krb5/password.policy file.
You must securely copy the adm_acl_file from the Kerberos server v2.0
to the v3.0 system.
IMPORTANT After migrating the v2.0 database to the v3.0 server, you must modify the
v2.0 principals with the appropriate policy names (policy names are
present in the /opt/krb5/password.policy file). The instance-based
rules apply if you do not specify the policy name.
To retain the v2.0 policies, copy the password.policy file to the v3.0
server before creating a new principal.
You can change the policy name using one of the administrative tools:
kadminl, kadmin, kadminl_ui or kadmin_ui.
When you migrate the v2.0 database to the v3.0 server, the default
principal of the v2.0 database does not contain the policy name field.
Therefore, the default policy applicable to the created principals is * (the
default policy), until you modify the default policy of the principal.
To migrate from Kerberos server v2.0 to v3.0, complete the following
steps:
Step 1. Dump the database on the v2.0 server.
On the Kerberos server v2.0, dump the database with the default dump
version. The dump file must contain the default header, “kdb5_util
load_dump version 5.0”.