Skip Menu |

Date: Wed, 13 Feb 2013 08:04:30 -0500
From: John Devitofranceschi <>
Subject: Documentation__Installing KDCs

The documentation site is really nice.

It seems to be lacking any statement, however, about upgrading a Kerberos infrastructure..

What approach is recommended? Upgrading slaves first? Big bang? What kind of backward compatibility assurances can be assumed?

Thanks for your attention!

Subject: Document KDC upgrade procedures
Prior to the RST conversion, we had a brief section on upgrading the
KDC (added for ticket #119). It talked about doing a dump and load,
which hasn't been necessary for any release since 1.1, and didn't
talk about multi-KDC environments. We don't appear to have any KDC
upgrade documentation now. We should write some, as we periodically
get questions about how to do it.

Some considerations for when we write it:

* Slave KDCs should generally be upgraded before the master KDC, to
ensure that they can process the dump files generated by the master
(especially when using iprop; there is a workaround for traditional
kprop). This order also limits the impact of any problems resulting
from the upgrade.

* Ticket #8213 should be considered when upgrading to affected
versions in a realm using incremental propagation.