[38348] in Kerberos
Re: Rolling the master key online
daemon@ATHENA.MIT.EDU (Greg Hudson)
Sat Sep 29 11:34:02 2018
To: John Devitofranceschi <jdvf@optonline.net>, kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <7f293c82-767b-2398-217d-980771c97e3e@mit.edu>
Date: Sat, 29 Sep 2018 11:33:40 -0400
MIME-Version: 1.0
In-Reply-To: <617167A7-952E-4FFC-817F-C72333764AE5@optonline.net>
Content-Language: en-US
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 09/28/2018 07:24 AM, John Devitofranceschi wrote:
>
> Are there any timing considerations when purging the old master key(s)?
>
> I experienced some problems after following the documented procedure (kadmind/kpropd not working, tickets not being issued) which I think might have been due running the ‘purge_mkeys' before the updated principals were propagated to the slaves after running the ‘update_princ_encryption’.
I was not aware of any issues like this. Please send a bug report to
krb5-bugs@mit.edu with as much details as you can reconstruct, including
the krb5 versions running on the KDCs, specific error messages, and the
sequence of operations performed. I will see if I can figure out what
might have gone wrong.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
