[30393] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.17]: Document necessary delay in master key
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Dec 5 11:04:46 2018
Date: Wed, 5 Dec 2018 11:02:31 -0500
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <201812051602.wB5G2VYL011729@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/91f331c507f6d36906b8432485b9b639c31ebff2
commit 91f331c507f6d36906b8432485b9b639c31ebff2
Author: Greg Hudson <ghudson@mit.edu>
Date: Mon Nov 26 13:37:46 2018 -0500
Document necessary delay in master key rolllover
During master key rollover, if the old master key is purged
immediately after updating principal encryption, running processes may
not successfully update their in-memory copies of the master key.
Document that the administrator should delay purging the master key
until after propagation and some daemon activity.
(cherry picked from commit 24425b730161c3d27d86a7ae0caa2305f70167f6)
ticket: 8744
version_fixed: 1.17
doc/admin/database.rst | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/doc/admin/database.rst b/doc/admin/database.rst
index 14c145b..2b02af3 100644
--- a/doc/admin/database.rst
+++ b/doc/admin/database.rst
@@ -535,6 +535,10 @@ availability. To roll over the master key, follow these steps:
use unlocked iteration; this variant will take longer, but will
keep the database available to the KDC and kadmind while it runs.
+#. Wait until the above changes have propagated to all replica KDCs
+ and until all running KDC and kadmind processes have serviced
+ requests using updated principal entries.
+
#. On the master KDC, run ``kdb5_util purge_mkeys`` to clean up the
old master key.
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
