3 files changed, 57 insertions, 7 deletions
diff --git a/crypto/heimdal/kadmin/dump.c b/crypto/heimdal/kadmin/dump.c
index 91a5ada86607..2c302eced210 100644
--- a/crypto/heimdal/kadmin/dump.c
+++ b/crypto/heimdal/kadmin/dump.c
@@ -42,32 +42,51 @@ dump(struct dump_options *opt, int argc, char **argv)
 {
     krb5_error_code ret;
     FILE *f;
+    struct hdb_print_entry_arg parg;
     HDB *db = NULL;
 
-    if(!local_flag) {
+    if (!local_flag) {
 	krb5_warnx(context, "dump is only available in local (-l) mode");
 	return 0;
     }
 
     db = _kadm5_s_get_db(kadm_handle);
 
-    if(argc == 0)
+    if (argc == 0)
 	f = stdout;
     else
 	f = fopen(argv[0], "w");
 
-    if(f == NULL) {
+    if (f == NULL) {
 	krb5_warn(context, errno, "open: %s", argv[0]);
 	goto out;
     }
     ret = db->hdb_open(context, db, O_RDONLY, 0600);
-    if(ret) {
+    if (ret) {
 	krb5_warn(context, ret, "hdb_open");
 	goto out;
     }
 
+    if (!opt->format_string || strcmp(opt->format_string, "Heimdal") == 0) {
+        parg.fmt = HDB_DUMP_HEIMDAL;
+    } else if (opt->format_string && strcmp(opt->format_string, "MIT") == 0) {
+        parg.fmt = HDB_DUMP_MIT;
+        fprintf(f, "kdb5_util load_dump version 5\n"); /* 5||6, either way */
+    } else if (opt->format_string) {
+	/* Open the format string as a MIT mkey file. */
+	ret = hdb_read_master_key(context, opt->format_string, &db->hdb_mit_key);
+	if (ret)
+	    krb5_errx(context, 1, "Cannot open MIT mkey file");
+	db->hdb_mit_key_set = 1;
+        parg.fmt = HDB_DUMP_MIT;
+	opt->decrypt_flag = 1;
+        fprintf(f, "kdb5_util load_dump version 5\n"); /* 5||6, either way */
+    } else {
+        krb5_errx(context, 1, "Supported dump formats: Heimdal and MIT");
+    }
+    parg.out = f;
     hdb_foreach(context, db, opt->decrypt_flag ? HDB_F_DECRYPT : 0,
-		hdb_print_entry, f);
+		hdb_print_entry, &parg);
 
     db->hdb_close(context, db);
 out:
diff --git a/crypto/heimdal/kadmin/kadmin-commands.in b/crypto/heimdal/kadmin/kadmin-commands.in
index 4396ff800441..dc36db4e0a00 100644
--- a/crypto/heimdal/kadmin/kadmin-commands.in
+++ b/crypto/heimdal/kadmin/kadmin-commands.in
@@ -76,6 +76,12 @@ command = {
 		type = "flag"
 		help = "decrypt keys"
 	}
+	option = {
+		long = "format"
+		short = "f"
+		type = "string"
+		help = "dump format, mit or heimdal (default: heimdal)"
+	}
 	argument = "[dump-file]"
 	min_args = "0"
 	max_args = "1"
diff --git a/crypto/heimdal/kadmin/kadmin.8 b/crypto/heimdal/kadmin/kadmin.8
index bd2fd4e7363f..e4555cd529f4 100644
--- a/crypto/heimdal/kadmin/kadmin.8
+++ b/crypto/heimdal/kadmin/kadmin.8
@@ -31,7 +31,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd Feb  22, 2007
+.Dd October 5, 2025
 .Dt KADMIN 8
 .Os HEIMDAL
 .Sh NAME
@@ -286,14 +286,39 @@ When running in local mode, the following commands can also be used:
 .Pp
 .Nm dump
 .Op Fl d | Fl Fl decrypt
+.Op Fl f Ns Ar format | Fl Fl format= Ns Ar format
 .Op Ar dump-file
 .Bd -ragged -offset indent
 Writes the database in
-.Dq human readable
+.Dq machine readable text
 form to the specified file, or standard out. If the database is
 encrypted, the dump will also have encrypted keys, unless
 .Fl Fl decrypt
 is used.
+.Pp
+If
+.Fl Fl format=MIT
+is used then the dump will be in MIT format.
+This option may be used if you require that all principal
+passwords be changed after loading the dump into an MIT KDC database.
+.Pp
+If
+.Fl Fl format=<keytab-file>
+is used, the
+.Dq <keytab-file>
+should hold the master key for the
+MIT KDC (usually a file called /var/db/krb5kdc/.k5.YOUR.REALM).
+This will cause the keys to be re-encrypted in the MIT master
+key as well as doing the dump in MIT format.
+When this dump is loaded into the MIT KDC's database,
+the principals that had at least one strong encryption type
+key should work and any keytabs for those principals should still work.
+The principcals with only weak encryption keys will require a
+.Dq change_password
+be done on the MIT KDC to get them working.
+The
+.Fl Fl decrypt
+flag is meaningless for this case.
 .Ed
 .Pp
 .Nm init