[38350] in Kerberos
Merge Databases, can't dump -mkey_convert principal
daemon@ATHENA.MIT.EDU (Eric Hattemer)
Mon Oct 1 21:00:33 2018
From: Eric Hattemer <ehatteme@usc.edu>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Tue, 2 Oct 2018 00:54:54 +0000
Message-ID: <a540f27c-8c93-71db-0471-19aca2e3e16f@usc.edu>
Content-Language: en-US
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-ID: <48A10AE34F283B41BAC09D33BC6B27A0@namprd07.prod.outlook.com>
MIME-Version: 1.0
X-OriginatorOrg: usc.edu
X-MS-Exchange-CrossTenant-Network-Message-Id: c23370ca-5304-40a4-59e7-08d62801aa5d
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Oct 2018 00:54:54.4582 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9ddaaca1-389f-4cb1-a113-081be6cc25fc
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR07MB3857
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, ,
definitions=2018-10-01_13:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
priorityscore=1501
malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0
clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0
mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx
scancount=1 engine=8.0.1-1807170000 definitions=main-1810020007
X-Brightmail-Tracker: H4sIAAAAAAAAA1VTa0xTZxjudy7tJ+mR46HSdyiSHQyJxFZMDDEGdWYzOp2JP3QLsIhH+kGr
bSE9rQFdFkEkFS9xw8WB10GWTDBIWLxEiAoISkO9EIFAItLBVEg2w49Nosvcd3pap3/ePO/z
vJfnvPkOZqVKUwomZX7i8ypu2ZjAffr8h0TbRGdbftbfdRkrz13u4T9BGyv7e9itKC8hx0Hc
rr3Et2zNzgTnmcFBtvSZpaw2OMMfQBcsNWgOBnEFjPXMsjUoAUtimIHQ1VNGPelF0FEXRnpy
kyq9zxg9qWXg+9mbvJ5EEFRfbOG1YUYxAyIjTZyGLeISmL3aEOWTxBy4Fonz6+Bg42mkYzuc
HJ2KYk5cDDXnqmgNxoK4Cv5pyNFoJCbDq9AlRsOsaIXRyfOM7nseNJzuYHWcDP/eiBh1LEO4
pTJqFMQ6BE8733C6sBTCw5NIx6kwcP4I0os6TVDV3Bor2gL37z2KCSEEVS+bY0ImtIfemjR3
IHph/Oe5cTp4pz7maBE0HYtwem8fC2NXbvG6sBCeHAzyulBjhKZ7I9EOSdwJ18ci/Am0rP69
z6unO1h6vcs3YvRGGAoOmHT8MZw8EoligV6gr26Su4D4JpTq8OyzeRSXWyWFNrVQ8XqJz5Zt
97j8duIItCH6TiTTZ+nX0dTxzV1IxEg2C4a0tnyJV/aq5Z4u9BFm5PmCPZlSc3eVOMqdiuos
8AXcRO1CgFnZIrzdTjXBoZTvI76SuLQAc7JV+K6qMV8SixU/2UNIKfHFVQabutBCjGUQkukD
leb5SDEpK3K5/e/XzNE2mOmGV7e1DWqp4lFdxboeQmvxn6OHfmTx4/7DNFb/PkxjUIsS5y3x
khSrgLXRotbmDHjfTY7/GgMoNSVJQAaDQTJTa/QiH+rTyEqvkSR0a8vNLq//3e5paouhtioC
rZotv/K/lHIA5YZxUfWmJa/DP9nl7L++Hc115A51D71Yl7at/ay7YLutYvMX2xqZREM4MDP1
zUzHwGHjVy/v7Og79qARLxq5S05kLQhvyFv9y/qsdEd+r6WT7R+//6slMa3i6/UXlf1j3c6j
vw2PpBesse55OLE2Y9CQ/eXnzyNFf6irLLvb22s3mJtlTnUqyzNZn6r8BykCnVQVBAAA
X-MIME-Autoconverted: from base64 to 8bit by PCH.mit.edu id w9210HNE031464
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Sender: kerberos-bounces@mit.edu
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by menelaus.MIT.EDU id w9210Xh0030490
We have a production Kerberos cluster, and a test cluster. I'd like to
refresh test from production without overwriting those principals that
are specific to test. We also have something wrong with our production
master database where it will respond to 'kdb5_util dump -verbose'
commands by either hanging or looping. Generally speaking, everything
works fine, it's just that the database (which is 20 years old) cannot
be dumped. So eventually I'd like to copy the prod database over to
test and figure out what's wrong with it.
The prod and test databases have different master keys at the moment. I
thought what I would do is dump all the test-specific principals with
'-mkey_convert' to the prod master password. But that's currently where
I'm stuck. If I run:
sudo kdb5_util dump -verbose -mkey_convert -k aes256-cts-hmac-sha1-96
it runs for a few hundred accounts, then stops at one specific principal:
kdb5_util: Decrypt integrity check failed while converting b@REALM to
new master key
kdb5_util: Decrypt integrity check failed performing Kerberos version 5
release 1.11 dump
If I limit the dump to just b@REALM, it fails immediately with the same
error.
That account is involved in some automated testing. Dumps failed both
before and after the account successfully changed its password and
logged in. So the principal works, it just can't be dumped with
mkey_convert. The whole database dumps fine without mkey_convert. I
had two mkeys loaded in the database. I tried:
sudo kdb5_util use_mkey 1
sudo kdb5_util update_princ_encryption b@REALM
and it converted just fine.
I'm probably going to create a third environment that doesn't need the
test principals in it. But I'm just wondering if there's a solution to
the principal that works for the user but can't be dumped with a new key.
--
--
Eric Hattemer
Engineer
Identity and Access Management
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
