[38330] in Kerberos
"kdb5_util load -update" best practice
daemon@ATHENA.MIT.EDU (John Devitofranceschi)
Sat Sep 22 09:45:03 2018
From: John Devitofranceschi <jdvf@optonline.net>
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Message-Id: <C156BC23-9F37-400A-91E5-18B6DEBD1C31@optonline.net>
Date: Sat, 22 Sep 2018 09:44:41 -0400
To: kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============2732874274508915436=="
Errors-To: kerberos-bounces@mit.edu
--===============2732874274508915436==
Content-Type: multipart/signed;
boundary="Apple-Mail=_5864FB71-CD46-427A-98E1-DB11B5B5D177";
protocol="application/pkcs7-signature"; micalg=sha1
--Apple-Mail=_5864FB71-CD46-427A-98E1-DB11B5B5D177
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
This week about 100 host and other service principals were deleted by =
mistake, rendering the owning systems and services unusable.
In order to remedy this, we tried using a pre-mistake backup (dump =
format) of the kdb to restore the principals:
kdb5_util load -update dumpfile principal=20
However this did not work. This is what=E2=80=99s documented in the MIT =
docs. We were expecting to be able to run this once per missing =
principal.
So instead we loaded the backup dump into a temporary kdb and extracted =
the missing principals into a separate dump file:
kdb5_util -d tempKDB load dumpfile
kdb5_util -d tempKDB dump missing-princs-dumpfile princ1 princ2 =E2=80=
=A6 princN
and ran this:
kdb5_util load -update missing-princs-dumpfile
which worked. Systems restored; drinks all =E2=80=98round.
Questions:
Is there any easier way to do this?
When when loaded the missing principals, we shut down kadmind. Was this =
necessary? Or will kdb5_util lock the KDB properly when loading? We were =
worried about potential corruption if the KDB was not in a quiescent =
state.
When the missing principals were being added, the load process also =
reported that it added polices. Why did it do that? If the policies are =
already there, is this a no-op?
We=E2=80=99re using MIT Kerberos 1.13.2, by the way.
jd=
--Apple-Mail=_5864FB71-CD46-427A-98E1-DB11B5B5D177
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIF6DCCBeQw
ggPMoAMCAQICAxLKjjANBgkqhkiG9w0BAQ0FADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQL
ExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3Jp
dHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xNzAzMTIxNzEzMThaFw0x
OTAzMTIxNzEzMThaMIGFMR4wHAYDVQQDExVKb2huIERldml0b2ZyYW5jZXNjaGkxITAfBgkqhkiG
9w0BCQEWEmpkdmZAb3B0b25saW5lLm5ldDEfMB0GCSqGSIb3DQEJARYQamR2ZkBob3RtYWlsLmNv
bTEfMB0GCSqGSIb3DQEJARYQZm9vbm9uQGdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAK4hgmTqZnFEjGB/yk+/J5guSzz71ZVuemKLvEmRvDznUHJ/o8+NqgdWc87WILzB
8cCgfvjR8gtCe555md2xYof9NrNuFShKfTpP5mvG/ny4RYn1uq6FVgY5qBgz+4UDzE3W1ZniRIT6
EruOeawVpsl03AmaSbQNPXZTpxr6BiIfdnhEexuxXdJX9ytMM2yf20U/L/hmIuu+ML9bvXdsJNHn
iytTxDxB4v1BaplLKnQIvr8nvP8MuaOSUDP6SrAOkXgLFG0lqB6YLSW66aj1i1YHkQDK95iO+X0C
3l7iLJvCiVnG/PTFNdu2mZrJ0KzVzI0SJwvH4v0qSMcc8WaQ55cCAwEAAaOCAWYwggFiMAwGA1Ud
EwEB/wQCMAAwVgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3Ig
RlJFRSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMA4GA1UdDwEB/wQEAwIDqDBA
BgNVHSUEOTA3BggrBgEFBQcDBAYIKwYBBQUHAwIGCisGAQQBgjcKAwQGCisGAQQBgjcKAwMGCWCG
SAGG+EIEATAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2VydC5v
cmcwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5jYWNlcnQub3JnL3Jldm9rZS5jcmwwQQYD
VR0RBDowOIESamR2ZkBvcHRvbmxpbmUubmV0gRBqZHZmQGhvdG1haWwuY29tgRBmb29ub25AZ21h
aWwuY29tMA0GCSqGSIb3DQEBDQUAA4ICAQC2uTTSiclC649DuZ4wZpxkBUx15elSc1ez7SPjtPUW
oTK/wPgDPK93oWrzRrDEGwDnZeH6NB3odNuNC4rzkL9N9SWTcic/s56owVlN/LUGDhn8cXOJ/Aw/
3b0VrX66GbL/XNhe8/Ttw3DVPZveHsQzhTR9F0GQjInWl6jPS3q6tozwTawpFb7miP8LP3vWlNxL
QouvuJhBTbE2lhWws4GEErKb+g5M8EJE4LWAfwTLXqs1U1PGo9barPQkxCA7Vy7hL8Ry6pXVDNlz
hA0I+xM7ov+YquRy9yFfMPRunE/PYI3E4BFbWzginnXQ0s2kgyIt6qy1CeW/vrO+B6CZ+kXzr90f
5sMeeowmIf3UQibevmDqZ2opG2HbdUdOYxVLc1VdqwQ5VYyBvmYafu+S+p44x9Q/1rgyCDLF/Ecn
60xjCRvzIT23s/2/NU5evCGRta2Zo1e4fGcm8zsmfyPwZGkIPCXcE8Q9jZA6M2dJaM+psQMUg5Bf
bhXtFQTaj+lrZwmfWFnbWB+wd5hlDcnJRtw+wf/cknndHNYiwIsn4GDzojy5d9N8+3y/ompR0+Dw
cCzUDLkBvMu79N5Q1r663nE7umkYZBtmhhMbMN5+77ddJSIqf5MaOAO/QuAKOjmKsWSUv9uZH0oH
75GpU9OYJhOVUG9xfpbvY4vhBiAWJj12DTGCAzMwggMvAgEBMIGAMHkxEDAOBgNVBAoTB1Jvb3Qg
Q0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWdu
aW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMSyo4wCQYF
Kw4DAhoFAKCCAYcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTgw
OTIyMTM0NDQyWjAjBgkqhkiG9w0BCQQxFgQUwVHxDZNxML3MEyd+Whsi9BrwYYwwgZEGCSsGAQQB
gjcQBDGBgzCBgDB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2Vy
dC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEW
EnN1cHBvcnRAY2FjZXJ0Lm9yZwIDEsqOMIGTBgsqhkiG9w0BCRACCzGBg6CBgDB5MRAwDgYDVQQK
EwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENl
cnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZwID
EsqOMA0GCSqGSIb3DQEBAQUABIIBAKb/4kuVjxH98TXdAPbZGz4XvdeV8jpoUcONxZme3/JkkdQ3
G690o1xJCCS4XLVrCsdS9zSldzxByM99y5TykxBtdwKrI7ZHuprAev5trNygawz7ktTN2T+fSSwk
JrapBl6F4xjVy4Lq85YNwm1S/gwnpZ0d2uXNVAUytyYaQSkrVwBTSJJlkEofQQ3DG/gj6tnrEA4Y
Y/ouJ0XFERw/WZQ1K+edEA1JUxDardBxjuAQKoX4P7GBtqdyrfgc/ObwMi1gcLfEuPSvc2dkD2Xa
edMq2apN98GtEo2G7y5lHH15MMmf3ygH5Qhp2V5gk1+/Z2pm2+Ra0qT7pEn6Y46W90kAAAAAAAA=
--Apple-Mail=_5864FB71-CD46-427A-98E1-DB11B5B5D177--
--===============2732874274508915436==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============2732874274508915436==--
