[38349] in Kerberos
Re: Rolling the master key online
daemon@ATHENA.MIT.EDU (John Devitofranceschi)
Sat Sep 29 13:49:29 2018
From: John Devitofranceschi <jdvf@optonline.net>
Message-Id: <672E6594-3C65-47AC-8F4E-0385A9B0AF2A@optonline.net>
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Sat, 29 Sep 2018 13:49:06 -0400
In-Reply-To: <7f293c82-767b-2398-217d-980771c97e3e@mit.edu>
To: Greg Hudson <ghudson@mit.edu>
Cc: kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============3058059334777503858=="
Errors-To: kerberos-bounces@mit.edu
--===============3058059334777503858==
Content-Type: multipart/signed;
boundary="Apple-Mail=_B631730E-039C-4ED7-90EC-9FD10C04015A";
protocol="application/pkcs7-signature"; micalg=sha1
--Apple-Mail=_B631730E-039C-4ED7-90EC-9FD10C04015A
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
> On Sep 29, 2018, at 11:33 AM, Greg Hudson <ghudson@MIT.EDU> wrote:
>=20
> On 09/28/2018 07:24 AM, John Devitofranceschi wrote:
>> Are there any timing considerations when purging the old master =
key(s)?
>> I experienced some problems after following the documented procedure =
(kadmind/kpropd not working, tickets not being issued) which I think =
might have been due running the =E2=80=98purge_mkeys' before the =
updated principals were propagated to the slaves after running the =
=E2=80=98update_princ_encryption=E2=80=99.
>=20
> I was not aware of any issues like this. Please send a bug report to =
krb5-bugs@mit.edu with as much details as you can reconstruct, including =
the krb5 versions running on the KDCs, specific error messages, and the =
sequence of operations performed. I will see if I can figure out what =
might have gone wrong.
Will do. Just following up on my experinces, when I repeated the =
process and made certain that all the slaves had the principal =
encryption updates, I had no problems at all.=20
--Apple-Mail=_B631730E-039C-4ED7-90EC-9FD10C04015A
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIF6DCCBeQw
ggPMoAMCAQICAxLKjjANBgkqhkiG9w0BAQ0FADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQL
ExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3Jp
dHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xNzAzMTIxNzEzMThaFw0x
OTAzMTIxNzEzMThaMIGFMR4wHAYDVQQDExVKb2huIERldml0b2ZyYW5jZXNjaGkxITAfBgkqhkiG
9w0BCQEWEmpkdmZAb3B0b25saW5lLm5ldDEfMB0GCSqGSIb3DQEJARYQamR2ZkBob3RtYWlsLmNv
bTEfMB0GCSqGSIb3DQEJARYQZm9vbm9uQGdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAK4hgmTqZnFEjGB/yk+/J5guSzz71ZVuemKLvEmRvDznUHJ/o8+NqgdWc87WILzB
8cCgfvjR8gtCe555md2xYof9NrNuFShKfTpP5mvG/ny4RYn1uq6FVgY5qBgz+4UDzE3W1ZniRIT6
EruOeawVpsl03AmaSbQNPXZTpxr6BiIfdnhEexuxXdJX9ytMM2yf20U/L/hmIuu+ML9bvXdsJNHn
iytTxDxB4v1BaplLKnQIvr8nvP8MuaOSUDP6SrAOkXgLFG0lqB6YLSW66aj1i1YHkQDK95iO+X0C
3l7iLJvCiVnG/PTFNdu2mZrJ0KzVzI0SJwvH4v0qSMcc8WaQ55cCAwEAAaOCAWYwggFiMAwGA1Ud
EwEB/wQCMAAwVgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3Ig
RlJFRSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMA4GA1UdDwEB/wQEAwIDqDBA
BgNVHSUEOTA3BggrBgEFBQcDBAYIKwYBBQUHAwIGCisGAQQBgjcKAwQGCisGAQQBgjcKAwMGCWCG
SAGG+EIEATAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2VydC5v
cmcwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5jYWNlcnQub3JnL3Jldm9rZS5jcmwwQQYD
VR0RBDowOIESamR2ZkBvcHRvbmxpbmUubmV0gRBqZHZmQGhvdG1haWwuY29tgRBmb29ub25AZ21h
aWwuY29tMA0GCSqGSIb3DQEBDQUAA4ICAQC2uTTSiclC649DuZ4wZpxkBUx15elSc1ez7SPjtPUW
oTK/wPgDPK93oWrzRrDEGwDnZeH6NB3odNuNC4rzkL9N9SWTcic/s56owVlN/LUGDhn8cXOJ/Aw/
3b0VrX66GbL/XNhe8/Ttw3DVPZveHsQzhTR9F0GQjInWl6jPS3q6tozwTawpFb7miP8LP3vWlNxL
QouvuJhBTbE2lhWws4GEErKb+g5M8EJE4LWAfwTLXqs1U1PGo9barPQkxCA7Vy7hL8Ry6pXVDNlz
hA0I+xM7ov+YquRy9yFfMPRunE/PYI3E4BFbWzginnXQ0s2kgyIt6qy1CeW/vrO+B6CZ+kXzr90f
5sMeeowmIf3UQibevmDqZ2opG2HbdUdOYxVLc1VdqwQ5VYyBvmYafu+S+p44x9Q/1rgyCDLF/Ecn
60xjCRvzIT23s/2/NU5evCGRta2Zo1e4fGcm8zsmfyPwZGkIPCXcE8Q9jZA6M2dJaM+psQMUg5Bf
bhXtFQTaj+lrZwmfWFnbWB+wd5hlDcnJRtw+wf/cknndHNYiwIsn4GDzojy5d9N8+3y/ompR0+Dw
cCzUDLkBvMu79N5Q1r663nE7umkYZBtmhhMbMN5+77ddJSIqf5MaOAO/QuAKOjmKsWSUv9uZH0oH
75GpU9OYJhOVUG9xfpbvY4vhBiAWJj12DTGCAzMwggMvAgEBMIGAMHkxEDAOBgNVBAoTB1Jvb3Qg
Q0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWdu
aW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMSyo4wCQYF
Kw4DAhoFAKCCAYcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTgw
OTI5MTc0OTA2WjAjBgkqhkiG9w0BCQQxFgQUL7ziT6awCQ3a3G8AGDGa9qYPqEowgZEGCSsGAQQB
gjcQBDGBgzCBgDB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2Vy
dC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEW
EnN1cHBvcnRAY2FjZXJ0Lm9yZwIDEsqOMIGTBgsqhkiG9w0BCRACCzGBg6CBgDB5MRAwDgYDVQQK
EwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENl
cnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZwID
EsqOMA0GCSqGSIb3DQEBAQUABIIBAB8gWILit+ElNep7b3ilbVEPPZUrIbPv9NJoupHfArdnUMPi
+CV1xr7vjxaqZjZLdVFB3f0nBQryPX0ouYX3CQZ5cga3haZSdcISY3ejTD9O8q37n5QP7Adnq/At
ccdPZlT68DsVHVGYT07JSHgmc/SFF1RvggE+STklLnk1D2HrclQDDyzptrivsr0a/+BAZsVIich+
HFAE2WvkNR01krAhzVBj+x7SWTnpTCKKytIqdzaqxmMho2JLsoBfi86QEMWVYHW5w3Y5MF6SnMh+
LVIr36CGeKgOAHtBk1R14AYdZaKETaHIQWXvG+oh43hkgxl0m88Opa25h9Psf4D8xVEAAAAAAAA=
--Apple-Mail=_B631730E-039C-4ED7-90EC-9FD10C04015A--
--===============3058059334777503858==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============3058059334777503858==--
