[37858] in Kerberos
Re: Problem with db master password migrating kerberos server to new
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Feb 7 10:54:39 2017
To: Rainer Krienke <krienke@uni-koblenz.de>, kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <08c53b48-4121-a572-286d-8e58f79584e8@mit.edu>
Date: Tue, 7 Feb 2017 10:54:24 -0500
MIME-Version: 1.0
In-Reply-To: <0f0aa7b5-2e01-7f6e-0c44-e9e091102b39@uni-koblenz.de>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 02/07/2017 03:17 AM, Rainer Krienke wrote:
> Afterwards I am able to run kamin.local and can eg list all the
> principals. However I am unable to login using kamin.local -m using my
> database master password which works on server A.
The default master key type changed from des3-cbc-sha1 to aes256-cts in
release 1.9. Unfortunately, we are not as friendly about the master key
enctype as we could be, due to this issue:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=6641
If you configure "master_key_enctype = des3-cbc-sha1" in the [realms]
subsection for your realm in kdc.conf (or krb5.conf), I believe it
should work again (in both versions). Alternatively, you could rotate
the master key by following this procedure:
http://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html?highlight=master#updating-the-master-key
I am curious why you sometimes use the typed-in master key password when
you have a stash file.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
