[37860] in Kerberos
Re: Problem with db master password migrating kerberos server to new
daemon@ATHENA.MIT.EDU (Rainer Krienke)
Wed Feb 8 07:34:01 2017
To: kerberos@mit.edu
From: Rainer Krienke <krienke@uni-koblenz.de>
Message-ID: <2cda36cc-ae39-8a9d-bcf7-b08051b4e572@uni-koblenz.de>
Date: Wed, 8 Feb 2017 13:33:44 +0100
MIME-Version: 1.0
In-Reply-To: <08c53b48-4121-a572-286d-8e58f79584e8@mit.edu>
Content-Type: multipart/mixed; boundary="===============2073031079448726061=="
Errors-To: kerberos-bounces@mit.edu
This is a cryptographically signed message in MIME format.
--===============2073031079448726061==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha-256; boundary="------------ms080909050607020007060406"
This is a cryptographically signed message in MIME format.
--------------ms080909050607020007060406
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hello Greg,
thank you very much for your answer.
> If you configure "master_key_enctype =3D des3-cbc-sha1" in the [realms]=
> subsection for your realm in kdc.conf (or krb5.conf), I believe it
> should work again (in both versions). Alternatively, you could rotate
> the master key by following this procedure:
This solution did not work for me. I put the master_key_enctype as
described into the krb5.conf and kdc.conf files but a kdb5_util create
-r xyz -s still created a aes256-cts-hmac-sha1-96 master key. Next I
tried kdb5_util -k des3-cbc-sha1 create -r xyz -s. This worked in the
sense that the master key was actually a des key, but access via
kadmn.local -m <password> does then not work. Using the new stash file
it works. Perhaps a fixed encryption type compiled into the binaries?
>=20
> http://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html?highlig=
ht=3Dmaster#updating-the-master-key
This solution looks promising. I simply created a new kerberos db,
exported the old one and imported everything on the new server. Using
the old stash file I am able to work with the new database. Carrying out
the described commands in order to add a new master key worked fine.
The only thing I ask myself is, if the new encryption typed available in
this new kerberos version (aes256-cts-hmac-sha1-96) could bite an older
client that does not know anything about this enctype but wants to get a
ticket from the server for a principal that has been encrypted with this
new encryption-algorithm during the kdb5_util update_princ_encryption
run, or if a new principal is created?
Is this danger real?
>=20
> I am curious why you sometimes use the typed-in master key password whe=
n
> you have a stash file.
>=20
Well I justed wanted to ensure in the first place that everything that
workes with the old server also does work with the new one. I used
kadmin.local -m just for testing if the master key ist still valid and
working. In general of course I make use of the stash file, but it could
get corrupted or accidentally deleted which might lock me out of the
database.
Thanks you very much
Rainer
--=20
Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1
56070 Koblenz, Tel: +49261287 1312 Fax +49261287 100 1312
Web: http://userpages.uni-koblenz.de/~krienke
PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html
--------------ms080909050607020007060406
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
D9gwggTVMIIDvaADAgECAghQTsb1PRG0ZDANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJE
RTEcMBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxlU2VjIFRy
dXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290IENBIDIwHhcNMTQw
NzIyMTIwODI2WhcNMTkwNzA5MjM1OTAwWjBaMQswCQYDVQQGEwJERTETMBEGA1UEChMKREZO
LVZlcmVpbjEQMA4GA1UECxMHREZOLVBLSTEkMCIGA1UEAxMbREZOLVZlcmVpbiBQQ0EgR2xv
YmFsIC0gRzAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6ZvDZ4X5Da71jVTD
llA1PWLpbkztlNcAW5UidNQg6zSP1uzAMQQLmYHiphTSUqAoI4SLdIkEXlvg4njBeMsWyyg1
OXstkEXQ7aAAeny/Sg4bAMOG6VwrMRF7DPOCJEOMHDiLamgAmu7cT3ir0sYTm3at7t4m6O8B
r3QPwQmi9mvOvdPNFDBP9eXjpMhim4IaAycwDQJlYE3t0QkjKpY1WCfTdsZxtpAdxO3/NYZ9
bzOz2w/FEcKKg6GUXUFr2NIQ9Uz9ylGs2b3vkoO72uuLFlZWQ8/h1RM9ph8nMM1JVNvJEzSa
cXXFbOqnC5j5IZ0nrz6jOTlIaoytyZn7wxLyvQIDAQABo4IBhjCCAYIwDgYDVR0PAQH/BAQD
AgEGMB0GA1UdDgQWBBRJt8bP6D0ff+pEexMp9/EKcD7eZDAfBgNVHSMEGDAWgBQxw3kbuvVT
1xfgiXotF2wKsyudMzASBgNVHRMBAf8ECDAGAQH/AgECMGIGA1UdIARbMFkwEQYPKwYBBAGB
rSGCLAEBBAICMBEGDysGAQQBga0hgiwBAQQDADARBg8rBgEEAYGtIYIsAQEEAwEwDwYNKwYB
BAGBrSGCLAEBBDANBgsrBgEEAYGtIYIsHjA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vcGtp
MDMzNi50ZWxlc2VjLmRlL3JsL0RUX1JPT1RfQ0FfMi5jcmwweAYIKwYBBQUHAQEEbDBqMCwG
CCsGAQUFBzABhiBodHRwOi8vb2NzcDAzMzYudGVsZXNlYy5kZS9vY3NwcjA6BggrBgEFBQcw
AoYuaHR0cDovL3BraTAzMzYudGVsZXNlYy5kZS9jcnQvRFRfUk9PVF9DQV8yLmNlcjANBgkq
hkiG9w0BAQsFAAOCAQEAYyAo/ZwhhnK+OUZZOTIlvKkBmw3Myn1BnIZtCm4ssxNZdbEzkhth
Jxb/w7LVNYL7hCoBSb1mu2YvssIGXW4/buMBWlvKQ2NclbbhMacf1QdfTeZlgk4y+cN8ekvN
TVx07iHydQLsUj7SyWrTkCNuSWc1vn9NVqTszC/Pt6GXqHI+ybxA1lqkCD3WvILDt7cyjrEs
jmpttzUCGc/1OURYY6ckABCwu/xOr24vOLulV0k/2G5QbyyXltwdRpplic+uzPLl2Z9Tsz6h
L5Kp2AvGhB8Exuse6J99tXulAvEkxSRjETTMWpMgKnmIOiVCkKllO3yG0xIVIyn8LNrMOVtU
FzCCBV4wggRGoAMCAQICBxeZn9pX17IwDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCREUx
EzARBgNVBAoTCkRGTi1WZXJlaW4xEDAOBgNVBAsTB0RGTi1QS0kxJDAiBgNVBAMTG0RGTi1W
ZXJlaW4gUENBIEdsb2JhbCAtIEcwMTAeFw0xNDA1MTkxNTI0NThaFw0xOTA3MDkyMzU5MDBa
MIGCMQswCQYDVQQGEwJERTE5MDcGA1UEChMwUmVnaW9uYWxlcyBIb2Noc2NodWxyZWNoZW56
ZW50cnVtIEthaXNlcnNsYXV0ZXJuMRYwFAYDVQQDEw1SSFJLLUNBIC0gRzAyMSAwHgYJKoZI
hvcNAQkBFhFjYUByaHJrLnVuaS1rbC5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAK5AQx3SBrbZDsO1mHSdgYrDp4rh5SQj3qf9KVHk2/UBS2Wqa6HXnkZupBYsdlxpd4eI
pi7u3RsLbvKEUaRnGerZt4tlUqcNc8cZPblFdrDIkRyth1ZDd6lhcKv0QToDxGlTYXReYTM+
0GY2a3V7VzjOCxhvJAWag++UPlNJm7Q2oDi9TSMLSbmN2Kpy/+h76bW+Bd9EQ1VJ2JobFlV/
kQjWjLzta1PYBxzjSAhL/AAD9VykV+C+5Qe+8A6TWS+giJj6fsTx8m51OnvfEI02tyJzuNBP
LAinIV61n6SnrsFvIl0k8IxKe87oUt/aAz8B5jWMzyxBeDTtS0lCitTzRbMCAwEAAaOCAf4w
ggH6MBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgEGMBEGA1UdIAQKMAgwBgYE
VR0gADAdBgNVHQ4EFgQUL90TmGNcC8NvuO2G4AMnwW+6tgIwHwYDVR0jBBgwFoAUSbfGz+g9
H3/qRHsTKffxCnA+3mQwHAYDVR0RBBUwE4ERY2FAcmhyay51bmkta2wuZGUwgYgGA1UdHwSB
gDB+MD2gO6A5hjdodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2dsb2JhbC1yb290LWNhL3B1Yi9j
cmwvY2FjcmwuY3JsMD2gO6A5hjdodHRwOi8vY2RwMi5wY2EuZGZuLmRlL2dsb2JhbC1yb290
LWNhL3B1Yi9jcmwvY2FjcmwuY3JsMIHXBggrBgEFBQcBAQSByjCBxzAzBggrBgEFBQcwAYYn
aHR0cDovL29jc3AucGNhLmRmbi5kZS9PQ1NQLVNlcnZlci9PQ1NQMEcGCCsGAQUFBzAChjto
dHRwOi8vY2RwMS5wY2EuZGZuLmRlL2dsb2JhbC1yb290LWNhL3B1Yi9jYWNlcnQvY2FjZXJ0
LmNydDBHBggrBgEFBQcwAoY7aHR0cDovL2NkcDIucGNhLmRmbi5kZS9nbG9iYWwtcm9vdC1j
YS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwDQYJKoZIhvcNAQELBQADggEBAN6x/u6FvA4+Sb0t
4oylgwcj8UKWYrKQkQ/7Udycf8K/9s+QejYqMyCO7gL3fa7mcARv1+LZm9rvu9hbMplyUtRP
on3zCXtfC7ElJhNsAutWvzhYp0MlXc9hiSRvk+fchGQEbxIfokb2mrF/KMdI/NCUdpg8I50i
stcwWM5Ox4N4HYAo6gH31rdCPwbIlfph3Tlhv7m5Y7fo+47AqgaG1IsXNcBF8Es80qvrDuV5
+zKrLaU9jvSZLglXMYXClRAwKurxKxKbyS2n8JHeY/pZFGqpz0FPJeOPfgpUV5UXEFEu38tw
tc6YtokdUcHlDKMm6r+/+x+kVN4PnC4hYLLHPH0wggWZMIIEgaADAgECAgca4RE2/sTeMA0G
CSqGSIb3DQEBCwUAMIGCMQswCQYDVQQGEwJERTE5MDcGA1UEChMwUmVnaW9uYWxlcyBIb2No
c2NodWxyZWNoZW56ZW50cnVtIEthaXNlcnNsYXV0ZXJuMRYwFAYDVQQDEw1SSFJLLUNBIC0g
RzAyMSAwHgYJKoZIhvcNAQkBFhFjYUByaHJrLnVuaS1rbC5kZTAeFw0xNjAyMTUwOTAwMjNa
Fw0xOTAyMTQwOTAwMjNaMGQxCzAJBgNVBAYTAkRFMSQwIgYDVQQKDBtVbml2ZXJzaXRhZXQg
S29ibGVuei1MYW5kYXUxFjAUBgNVBAsMDVJlY2hlbnplbnRydW0xFzAVBgNVBAMMDlJhaW5l
ciBLcmllbmtlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn8EBhJep8lTNeLbA
N0y7NQSAU0ehXwciCQixT4TbWtCIPyJfyNakduSR0XwP1Ig9Hly1goHKePkRB/dS9kIhgZsu
rO6sDMj/RG4Zw6Wy2MQ0XV58pIlMdnCS631GZOxk19Njd3k9+767wrhOApn+yAyoJPy+w1RN
t0jCiPZgrJeOt6NHfIMJRcmjDGlPRMUEO3RD72cQW3SzVlPC2nvl0WHbV/ZFZbO+AtJRjBPa
fi49sDV8r1zTWIzFIc9MkqlFAS/O+P/IdZdLMPoXQiJ6Ch+MFnABefkPqIjloF7WfJ4PtT1/
I5DGLAVdR/URiAWHWf1yY6aoFiJNt1rF03hAeQIDAQABo4ICLzCCAiswQAYDVR0gBDkwNzAR
Bg8rBgEEAYGtIYIsAQEEAwQwEQYPKwYBBAGBrSGCLAIBBAMBMA8GDSsGAQQBga0hgiwBAQQw
CQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME
MB0GA1UdDgQWBBTwwiVSpv91jF9yH8iXNXOrLdcLszAfBgNVHSMEGDAWgBQv3ROYY1wLw2+4
7YbgAyfBb7q2AjAhBgNVHREEGjAYgRZrcmllbmtlQHVuaS1rb2JsZW56LmRlMH0GA1UdHwR2
MHQwOKA2oDSGMmh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvcmhyay1jYS9wdWIvY3JsL2dfY2Fj
cmwuY3JsMDigNqA0hjJodHRwOi8vY2RwMi5wY2EuZGZuLmRlL3JocmstY2EvcHViL2NybC9n
X2NhY3JsLmNybDCBzQYIKwYBBQUHAQEEgcAwgb0wMwYIKwYBBQUHMAGGJ2h0dHA6Ly9vY3Nw
LnBjYS5kZm4uZGUvT0NTUC1TZXJ2ZXIvT0NTUDBCBggrBgEFBQcwAoY2aHR0cDovL2NkcDEu
cGNhLmRmbi5kZS9yaHJrLWNhL3B1Yi9jYWNlcnQvZ19jYWNlcnQuY3J0MEIGCCsGAQUFBzAC
hjZodHRwOi8vY2RwMi5wY2EuZGZuLmRlL3JocmstY2EvcHViL2NhY2VydC9nX2NhY2VydC5j
cnQwDQYJKoZIhvcNAQELBQADggEBAKdydwg4btfpn6zlURxNX6wJZ8UnoIXUQsS9ieGJkDcX
ahedrvSJ+fX7k/vj2jSwWDRBrPL4QBPfyO54fm2URTv/0Mg3cnetEH9EIRIOnUC+Yowq34y3
8X1t05Ha/DsD3z7HHYQCZu75UwUcYF74sCNaQb0n3THedCLfRRAGdnhHo9jjn+sIXmstB0Id
xO/UgrCQPihZ20bAkcuD7ZfKf7jY7PGFNFxUS2y6B8lbqASWVLKgk1SzU0rLiL+jUoZxTeyU
4vV/UhWAcjT2H5T8UBehEf6vd2mCSRlWgotZAewYwPPPG3baYl8KInaUL/Nf1ebRjlPbUZzK
rupO+h4LSeAxggPbMIID1wIBATCBjjCBgjELMAkGA1UEBhMCREUxOTA3BgNVBAoTMFJlZ2lv
bmFsZXMgSG9jaHNjaHVscmVjaGVuemVudHJ1bSBLYWlzZXJzbGF1dGVybjEWMBQGA1UEAxMN
UkhSSy1DQSAtIEcwMjEgMB4GCSqGSIb3DQEJARYRY2FAcmhyay51bmkta2wuZGUCBxrhETb+
xN4wDQYJYIZIAWUDBAIBBQCgggIdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI
hvcNAQkFMQ8XDTE3MDIwODEyMzM0NFowLwYJKoZIhvcNAQkEMSIEILmkromEUwgP79DRYrqY
jj8JZZGVMhlCaC4u3oLBpyeHMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCG
SAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYF
Kw4DAgcwDQYIKoZIhvcNAwICASgwgZ8GCSsGAQQBgjcQBDGBkTCBjjCBgjELMAkGA1UEBhMC
REUxOTA3BgNVBAoTMFJlZ2lvbmFsZXMgSG9jaHNjaHVscmVjaGVuemVudHJ1bSBLYWlzZXJz
bGF1dGVybjEWMBQGA1UEAxMNUkhSSy1DQSAtIEcwMjEgMB4GCSqGSIb3DQEJARYRY2FAcmhy
ay51bmkta2wuZGUCBxrhETb+xN4wgaEGCyqGSIb3DQEJEAILMYGRoIGOMIGCMQswCQYDVQQG
EwJERTE5MDcGA1UEChMwUmVnaW9uYWxlcyBIb2Noc2NodWxyZWNoZW56ZW50cnVtIEthaXNl
cnNsYXV0ZXJuMRYwFAYDVQQDEw1SSFJLLUNBIC0gRzAyMSAwHgYJKoZIhvcNAQkBFhFjYUBy
aHJrLnVuaS1rbC5kZQIHGuERNv7E3jANBgkqhkiG9w0BAQEFAASCAQBNER17Su5O15uf8K4N
88zSeiJemZw8ZEyXGn7ksdw26l6tmcLbk8zdXufrXe5LJ/8bQyP0d1D7BkzbFko5Mac03YeR
iPfJQTeWHjVxFfAKYB+YHtxePFggKu717d7AEMRlswmQs+Vh0no7wTuOCqK9NNrN49vws4Vj
DY/hTo+bnBTXztOvUFX5YnZXyWp/kfL+kyTFRJTTe7Gey0/ZzlnCD2P+V6IAFcaYBE99fTYi
bzCtN31VBkhC7jZYuG8teYAbB4NezET2KLOGH81pXVgVtYuKgAymSOJdynz/azCiac8SjYIW
782LpZb2of4ohvePMGSX+g9t1UZQRfFlLULvAAAAAAAA
--------------ms080909050607020007060406--
--===============2073031079448726061==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============2073031079448726061==--
