[37513] in Kerberos
Re: Deleting and re-creating the default krbtgt principal?
daemon@ATHENA.MIT.EDU (Todd Grayson)
Wed Jun 1 21:31:36 2016
MIME-Version: 1.0
In-Reply-To: <574F2882.1090906@mit.edu>
From: Todd Grayson <tgrayson@cloudera.com>
Date: Wed, 1 Jun 2016 19:30:58 -0600
Message-ID: <CALNT6MU-3FfN-S-Ln=nmoSWZgO3F8n0v9dwDwFw0-dkZPihQQA@mail.gmail.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Thanks Greg! I also found this procedure, we'll use modprinc on the other
actual user/service principals, and then follow this for modifying the
krbtgt.
http://web.mit.edu/kerberos/krb5-1.13/doc/admin/database.html#changing-krbtgt-key
On Wed, Jun 1, 2016 at 12:25 PM, Greg Hudson <ghudson@mit.edu> wrote:
> On 06/01/2016 02:13 PM, Todd Grayson wrote:
> > Is there any kind of guidance or rules of thumb around deleting and
> > re-creating the default krbtgt principal for a KDC? I've not been able
> to
> > find specific discussion on doing this, or what the requirements would be
> > for properly re-creating the entry.
> >
> > The issue has to do with wanting to reset a number of values in the entry
> > rather than using modprinc so many times over the entry.
> >
> > Or is this a "don't do it" kind of thing?
>
> I would recommend against it. At best you would be invalidating all
> existing TGTs; at worst you could get stuck in an uncoverable state,
> with no way to access the KDC host or connect to kadmin.
>
> You can make multiple modifications to an entry in a single modprinc
> operation. Even if you make the modifications one at a time, I wouldn't
> expect any problems from performing a dozen or so modprinc operations on
> the same entry in quick succession.
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
