As with most software upgrades, Kerberos V5 is generally backward
compatible but not necessarily forward compatible. The Kerberos V5
daemons can interoperate with Kerberos V4 clients, but most of the
Kerberos V4 daemons can not interoperate with Kerberos V5 clients. This
suggests the following strategy for performing the upgrade:
- Upgrade your KDCs. This must be done first, so that
interactions with the Kerberos database, whether by Kerberos V5 clients
or by Kerberos V4 clients, will succeed.
- Upgrade your servers. This must be done before upgrading
client machines, so that the servers are able to respond to both
Kerberos V5 and Kerberos V4 queries.
- Upgrade your client machines. Do this only after your KDCs and
application servers are upgraded, so that all of your Kerberos V5
clients will be talking to Kerberos V5 daemons.