Andrew Deason <adeason@sinenomine.net> writes:

> But if you're creating a new database or using new KDCs, etc, that's not
> a problem.

Yeah, that's how we did it.

> And even converting the existing database in-place may be possible; I
> don't really know. I may be incorrect on some of these details anyway,
> this is all pure krb5 stuff and not much to do with AFS :)

For the record, I believe Heimdal does have support for a fallback salt
that you can use to handle principals keyed in the wrong realm, but I'm
not sure exactly how it works and have never had to use it.

