[37512] in Kerberos
Re: Deleting and re-creating the default krbtgt principal?
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Jun 1 14:25:28 2016
To: Todd Grayson <tgrayson@cloudera.com>, kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <574F2882.1090906@mit.edu>
Date: Wed, 1 Jun 2016 14:25:06 -0400
MIME-Version: 1.0
In-Reply-To: <CALNT6MXF+AoJ7DKgSzN1bjpsPdYxh4HNf4YJwOmw2qZ4SCkmrg@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 06/01/2016 02:13 PM, Todd Grayson wrote:
> Is there any kind of guidance or rules of thumb around deleting and
> re-creating the default krbtgt principal for a KDC? I've not been able to
> find specific discussion on doing this, or what the requirements would be
> for properly re-creating the entry.
>
> The issue has to do with wanting to reset a number of values in the entry
> rather than using modprinc so many times over the entry.
>
> Or is this a "don't do it" kind of thing?
I would recommend against it. At best you would be invalidating all
existing TGTs; at worst you could get stuck in an uncoverable state,
with no way to access the KDC host or connect to kadmin.
You can make multiple modifications to an entry in a single modprinc
operation. Even if you make the modifications one at a time, I wouldn't
expect any problems from performing a dozen or so modprinc operations on
the same entry in quick succession.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
