[38344] in Kerberos
Rolling the master key online
daemon@ATHENA.MIT.EDU (John Devitofranceschi)
Fri Sep 28 07:40:13 2018
From: John Devitofranceschi <jdvf@optonline.net>
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Message-Id: <617167A7-952E-4FFC-817F-C72333764AE5@optonline.net>
Date: Fri, 28 Sep 2018 07:24:23 -0400
To: kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============8006877223611117763=="
Errors-To: kerberos-bounces@mit.edu
--===============8006877223611117763==
Content-Type: multipart/signed;
boundary="Apple-Mail=_EEFEEEE3-EFD5-4401-B441-E189A504377E";
protocol="application/pkcs7-signature"; micalg=sha1
--Apple-Mail=_EEFEEEE3-EFD5-4401-B441-E189A504377E
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
Are there any timing considerations when purging the old master key(s)?
I experienced some problems after following the documented procedure =
(kadmind/kpropd not working, tickets not being issued) which I think =
might have been due running the =E2=80=98purge_mkeys' before the =
updated principals were propagated to the slaves after running the =
=E2=80=98update_princ_encryption=E2=80=99.
I had to restart kadmind, krb5kdc, and kpropd to get things working =
again.
Also, after running =E2=80=98kdb5_util stash=E2=80=99 on the slave, the =
old key is preserved in the stash file, but on the master =E2=80=98kdb5_ut=
il add_mkey -s=E2=80=99 clobbers the old key.=20
--Apple-Mail=_EEFEEEE3-EFD5-4401-B441-E189A504377E
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIF6DCCBeQw
ggPMoAMCAQICAxLKjjANBgkqhkiG9w0BAQ0FADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQL
ExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3Jp
dHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xNzAzMTIxNzEzMThaFw0x
OTAzMTIxNzEzMThaMIGFMR4wHAYDVQQDExVKb2huIERldml0b2ZyYW5jZXNjaGkxITAfBgkqhkiG
9w0BCQEWEmpkdmZAb3B0b25saW5lLm5ldDEfMB0GCSqGSIb3DQEJARYQamR2ZkBob3RtYWlsLmNv
bTEfMB0GCSqGSIb3DQEJARYQZm9vbm9uQGdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAK4hgmTqZnFEjGB/yk+/J5guSzz71ZVuemKLvEmRvDznUHJ/o8+NqgdWc87WILzB
8cCgfvjR8gtCe555md2xYof9NrNuFShKfTpP5mvG/ny4RYn1uq6FVgY5qBgz+4UDzE3W1ZniRIT6
EruOeawVpsl03AmaSbQNPXZTpxr6BiIfdnhEexuxXdJX9ytMM2yf20U/L/hmIuu+ML9bvXdsJNHn
iytTxDxB4v1BaplLKnQIvr8nvP8MuaOSUDP6SrAOkXgLFG0lqB6YLSW66aj1i1YHkQDK95iO+X0C
3l7iLJvCiVnG/PTFNdu2mZrJ0KzVzI0SJwvH4v0qSMcc8WaQ55cCAwEAAaOCAWYwggFiMAwGA1Ud
EwEB/wQCMAAwVgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3Ig
RlJFRSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMA4GA1UdDwEB/wQEAwIDqDBA
BgNVHSUEOTA3BggrBgEFBQcDBAYIKwYBBQUHAwIGCisGAQQBgjcKAwQGCisGAQQBgjcKAwMGCWCG
SAGG+EIEATAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2VydC5v
cmcwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5jYWNlcnQub3JnL3Jldm9rZS5jcmwwQQYD
VR0RBDowOIESamR2ZkBvcHRvbmxpbmUubmV0gRBqZHZmQGhvdG1haWwuY29tgRBmb29ub25AZ21h
aWwuY29tMA0GCSqGSIb3DQEBDQUAA4ICAQC2uTTSiclC649DuZ4wZpxkBUx15elSc1ez7SPjtPUW
oTK/wPgDPK93oWrzRrDEGwDnZeH6NB3odNuNC4rzkL9N9SWTcic/s56owVlN/LUGDhn8cXOJ/Aw/
3b0VrX66GbL/XNhe8/Ttw3DVPZveHsQzhTR9F0GQjInWl6jPS3q6tozwTawpFb7miP8LP3vWlNxL
QouvuJhBTbE2lhWws4GEErKb+g5M8EJE4LWAfwTLXqs1U1PGo9barPQkxCA7Vy7hL8Ry6pXVDNlz
hA0I+xM7ov+YquRy9yFfMPRunE/PYI3E4BFbWzginnXQ0s2kgyIt6qy1CeW/vrO+B6CZ+kXzr90f
5sMeeowmIf3UQibevmDqZ2opG2HbdUdOYxVLc1VdqwQ5VYyBvmYafu+S+p44x9Q/1rgyCDLF/Ecn
60xjCRvzIT23s/2/NU5evCGRta2Zo1e4fGcm8zsmfyPwZGkIPCXcE8Q9jZA6M2dJaM+psQMUg5Bf
bhXtFQTaj+lrZwmfWFnbWB+wd5hlDcnJRtw+wf/cknndHNYiwIsn4GDzojy5d9N8+3y/ompR0+Dw
cCzUDLkBvMu79N5Q1r663nE7umkYZBtmhhMbMN5+77ddJSIqf5MaOAO/QuAKOjmKsWSUv9uZH0oH
75GpU9OYJhOVUG9xfpbvY4vhBiAWJj12DTGCAzMwggMvAgEBMIGAMHkxEDAOBgNVBAoTB1Jvb3Qg
Q0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWdu
aW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMSyo4wCQYF
Kw4DAhoFAKCCAYcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTgw
OTI4MTEyNDIzWjAjBgkqhkiG9w0BCQQxFgQU+/S/vRddj7OOmiAXBM5qkPRt3JcwgZEGCSsGAQQB
gjcQBDGBgzCBgDB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2Vy
dC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEW
EnN1cHBvcnRAY2FjZXJ0Lm9yZwIDEsqOMIGTBgsqhkiG9w0BCRACCzGBg6CBgDB5MRAwDgYDVQQK
EwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENl
cnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZwID
EsqOMA0GCSqGSIb3DQEBAQUABIIBAES24J9SN5RgMklc2FYidWk0DOOrB26dwMulOVtNZ3NRgmh2
Tg+8Fz6eXEWM/vK9inDMfeR8WBVuDP3kpDK1w/t351Je40m1V3O+GtVnpDrhU6m9KKd5e6MsfKyp
HbBkMZsK/9RaJHqVXxWN/iXBLhTpKH3K6TeBUm0GM20yuar3fPpLgVm49z6ctWC3rOpnEju+8Pjp
SBgb9NfC9WASpge3k4/WrXcD2qLr/CBUrNAsZ2ZGlJ4sSrCxHNqjM4YpecT/3d6LccXA8GIeDQRz
nDgVbIEjTkRxmy2m2TciyE+q6GyXgaHKKigeEOQHtM0n1hPG/8RTsDAgoYawbc3GbXEAAAAAAAA=
--Apple-Mail=_EEFEEEE3-EFD5-4401-B441-E189A504377E--
--===============8006877223611117763==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============8006877223611117763==--
