[37095] in Kerberos
Re: Unable to access kdc after changing password
daemon@ATHENA.MIT.EDU (Tom Yu)
Fri Jun 19 16:19:46 2015
From: Tom Yu <tlyu@mit.edu>
To: "Podrigal\, Aron" <aronp@guaranteedplus.com>
Date: Fri, 19 Jun 2015 16:19:31 -0400
In-Reply-To: <CANJp-yjxUc8D6nSmRm-=eh04waMco8M2HAS1EhBBqN00A8=rOg@mail.gmail.com>
(Aron Podrigal's message of "Wed, 17 Jun 2015 01:17:00 -0400")
Message-ID: <ldvzj3v5u3w.fsf@sarnath.mit.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
"Podrigal, Aron" <aronp@guaranteedplus.com> writes:
> kadmin: change_password K/M
> kadmin: quit
>
> Which should change the master password, no?
>
> But now i can't seem to get access to the database
The master key K/M is special and can't be changed in a useful way by
using the kadmin change_password command. It is probably a bug that you
were able to run that command without getting an error.
The following link describes the correct way to update the master key.
http://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html#updating-the-master-key
> # kdb5_util stash
> kdb5_util: Unable to decrypt latest master key with the provided master key
> while getting master key list
> kdb5_util: Warning: proceeding without master key list
> Enter KDC database master key:
> kdb5_util: Unable to decrypt latest master key with the provided master key
> while getting master key list
> #
>
> As I understand the problem is that the key in keytab is no longer valid.
> However providing the password on command line as shown above should work.
> I'm confident that I didn't forget the password :)
>
> Can anyone point me in the right direction? I seem to be missing some
> general knowledge here. Any info would be greatly appreciated.
The master key encrypts every key in the database, including itself.
This fact is used by nearly every program that touches the database to
verify the correctness of the master key as read from a stash file or
the keyboard. By running the change_password command on K/M, you
changed the key stored in the K/M principal entry in the database, but
it probably remained encrypted in the old master key, as did every other
key in the database.
Unfortunately, this situation is probably very difficult to recover
without reloading a backup of the database.
-Tom
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
