If you want to use the Kerberos server with C-tree as the
backend database, migrate your existing Kerberos server to Kerberos
server v3.0.
In the Kerberos server v1.0, you can create a policy with
any name and attribute value. Any principal can subscribe to any
of the policies in the database.
In the Kerberos server v2.0, the password policy is based
on the instance name of the principal. The instance name is part
of the principal name. For example, in the principal, user1/admin@hp.com, admin is the instance name. The principals having the admin instance inherit the values defined for the admin policy in the password.policy file.
In Kerberos server, v3.0, the password policies are based
on the policy subscribed to by the principal.
The policy information is available as a dump file after you have migrated
the dump file from v1.0 to v3.0. After the migration, the policy information
is not migrated automatically, that is, the policy to which a principal
is subscribed, is not updated in the database. The administrator
needs to explicitly classify the principals and add the policies
to the password.policy file, according to the site policy.
 |
| |
|
 | IMPORTANT: You must modify the principals with the new
policy. The instance-based rules apply if you do not specify the
policy. |
|
| |
|
You need to perform the task of manually migrating the admin_acl_file from v1.0 to v3.0. For more information, see “The
admin_acl_file File”.
To migrate from Kerberos server v1.0 to v3.0, complete the
following steps:
Dump the database
on the v1.0 server.
On the Kerberos server v1.0, dump the database with
the default dump version. The dump file must contain the default
header, “kdb5_util load_dump version 5”.
# kdb5_util dump /opt/krb5/dumpfilev1.0 |
Copy the dump file to the new
system where you are installing the Kerberos server v3.0.
Install the v3.0 Kerberos daemons
on the new system.
Migrate the v1.0 dump file to
the v3.0 dump file.
To generate the v3.0 dump file, run the kdb_migrate tool on the system where Kerberos server v3.0 is installed:
# kdb_migrate -i /opt/krb5/dumpfilev1.0 -o
=> /opt/krb5/dumpfilev3.0 -p /opt/krb5/polv3 -1
=> /tmp/kdb_migrate.log |
|
| |
|
 | NOTE: The lines beginning with => are continuations
of the previous line. |
|
| |
|
If the /var/adm/krb5/krb5kdc/kdc.conf file does not exist and the master key name is
not the default (K/M), specify this as an argument in kdb_migrate by specifying the -M option.
If the /var/adm/krb5/krb5kdc/kdc.conf file does not exist and the -e option is not specified, the encryption type is
the encryption type of the master principal obtained from the dumpfilev1.0.
If the /etc/krb5.conf file does not exist, the migration process fails.
You can change the password of the master key while executing
the migration tool. The tool prompts you for a password change.
If you want to change the password, type yes at the command prompt. If you do not want to change
the password, type no at the command prompt.
|
| |
|
| NOTE: You must use the same password while creating the minimal
database for v3.0 of the Kerberos server, as described in step 5. |
|
| |
|
The policy information is available in the /opt/krb5/polv2 directory and the logs are available in /tmp/kdb_migrate.log file.
Configure the Kerberos server
v3.0.
You can configure Kerberos server manually or by using
the krbsetup tool.
Ensure that the following values are the same in both versions
of the Kerberos server:
The master key password must be identical to the one that
was used in v1.0. This is applicable if you have not opted to change
the password, as mentioned in step 3. If you have changed the password,
use the same new password while creating the Kerberos server v3.0
database.
If you used the -e option to change the master key encryption type from v1.0
to v3.0 in step 3, use the same new encryption type for the master key
while creating the database in v3.0.
If you did not specify the -e option in step 3, then the encryption type with which
the v3.0 database was created must be the same as the one specified
while creating the v1.0 database. For more information, type man 4 kdc.conf at the HP-UX prompt and see the master_key_entry.
The krbsetup interactive tool prompts for the required parameters.
For more information, type man 1M krbsetup at the HP-UX prompt or see “Autoconfiguring the
Kerberos Server ”“Auto-Configuration of the Kerberos
Server” on page 63.
Load the new version of the dump
file generated in step 3.
Use the kdb_load tool to load the database from the dump file, /opt/krb5/dumpfilev3.0:
# kdb_load -f /opt/krb5/dumpfilev3.0 |
Upon success, the following message appears:
The migration process of the principal information is now
completed.
Consider the following points:
The principal
information is migrated from v1.0 to v3.0.
The /opt/krb5/polv2 file contains the policy-related information. You
need to decide on the policies and add the policies to the /opt/krb5/password.policy file.
The policy applicable to the principal that is migrated from
v1.0 to v3.0 is based on the instance name of the principals. To
modify the policy, edit the principal to change the policy name
field to the new policy.
You cannot migrate the
admin_acl_file. You need to add the appropriate ACLs to the
/opt/krb5/admin_acl_file using the old admin_acl_file. For more information, see “The
admin_acl_file File”.
The /tmp/kdb_migrate.log file contains the log messages of step 3.
The log messages inform you of the failure ([ERR] message), successful
migrations ([LOG] messages), and so forth.
If you encounter any problem while loading the new version
of the dump file, analyze the dump file.
Copy the /etc/krb5.conf file of the v1.0 server to the new system, where you
are installing the v3.0 server. In addition, copy the /var/adm/krb5/krb5kdc/kdc.conf file if the master key principal name is not the
default K/M. If only the master key principal name differs from
the default, avoid copying the kdc.conf file by specifying the -M option while using the kdb_migrate tool.
Printable version
