Node:Upgrading Existing Kerberos V5 Installations, Next:, Previous:Installing Kerberos V5, Up:Top



Upgrading Existing Kerberos V5 Installations

If you already have an existing Kerberos database that you created with a prior release of Kerberos 5, you can upgrade it to work with the current release with the kdb5_util command. It is only necessary to perform this dump/undump procedure if you were running a krb5-1.0.x KDC and are migrating to a krb5-1.1.x or newer KDC or if you were running a krb5-1.1.x KDC and are migrating to a krb5-1.2.x or newer KDC. The process for upgrading a Master KDC involves the following steps:

  1. Stop your current KDC and administration server processes, if any.
  2. Dump your existing Kerberos database to an ASCII file with kdb5_util's "dump" command:
              shell% cd /usr/local/var/krb5kdc
              shell% kdb5_util dump old-kdb-dump
              shell% kdb5_util dump -ov old-kdb-dump.ov
              shell%
              
  3. Create a new Master KDC installation (See Install the Master KDC.). If you have a stash file for your current database, choose any new master password but then copy your existing stash file to the location specified by your kdc.conf; if you do not have a stash file for your current database, you must choose the same master password.
  4. Load your old Kerberos database into the new system with kdb5_util's "load" command:
              shell% cd /usr/local/var/krb5kdc
              shell% kdb5_util load old-kdb-dump
              shell% kdb5_util load -update old-kdb-dump.ov
              shell%
              

The "dump -ov" and "load -update" commands are necessary in order to preserve per-principal policy information, since the default dump format filters out that information. If you omit those steps, the loaded database database will lose the policy information for each principal that has a policy.

To update a Slave KDC, you must stop the old server processes on the Slave KDC, install the new server binaries, reload the most recent slave dump file, and re-start the server processes.