[36801] in Kerberos
Re: Recovering from a removed master key
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Feb 18 18:31:26 2015
Message-ID: <54E520BC.9010200@mit.edu>
Date: Wed, 18 Feb 2015 18:31:08 -0500
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Charles Adams <cadams04391@gmail.com>, kerberos@mit.edu
In-Reply-To: <CAMaDxXGDrpfNoJfcYw1CzcMKxhSKmTa5+acdH09vJEewS4+sfQ@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 02/18/2015 05:49 PM, Charles Adams wrote:
> slave1# kdb5_util dump -ov -verbose ~/kerbmaster-ov K/M@MY.REALM.ORG
> slave1# kdb5_util dump -verbose ~/kerbmaster K/M@MY.REALM.ORG
I don't think there's ever much call to use dump -ov today, although the
documentation was unclear on that point until recently. That's a side
point.
> master# kdb5_util load -verbose -update ~/kerbmaster
I would expect this to work, and it works for me if I reproduce your
situation in a test realm:
$ make testrealm
[...]
$ kdb5_util dump testdir/dump K/M@KRBTEST.COM
$ kadmin.local -q 'delprinc -force K/M' # XXX DO NOT DO THIS
$ kinit user # (this works as long as the KDC is still running)
$ kadmin.local # (fails with "Cannot find master key record")
$ pkill krb5kdc
$ krb5kdc # (fails with "cannot initialize realm")
$ kdb5_util load -update testdir/dump
$ krb5kdc # (succeeds)
$ kinit user # (succeeds)
$ kadmin.local # (succeeds)
Just be very careful not to forget the -update flag, or you'll wind up
with a KDB with only K/M in it.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
