[38354] in Kerberos
Re: Merge Databases, can't dump -mkey_convert principal
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Oct 8 11:14:21 2018
To: Eric Hattemer <ehatteme@usc.edu>, "kerberos@mit.edu" <kerberos@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <088a06d0-b6d0-2a90-00c4-2bbbb8235590@mit.edu>
Date: Mon, 8 Oct 2018 11:13:47 -0400
MIME-Version: 1.0
In-Reply-To: <a540f27c-8c93-71db-0471-19aca2e3e16f@usc.edu>
Content-Language: en-US
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
(Sorry for the slow response.)
On 10/01/2018 08:54 PM, Eric Hattemer wrote:
> We have a production Kerberos cluster, and a test cluster. I'd like to
> refresh test from production without overwriting those principals that
> are specific to test. We also have something wrong with our production
> master database where it will respond to 'kdb5_util dump -verbose'
> commands by either hanging or looping.
Release 1.15 added (well, re-added) "kdb5_util dump -recurse" which can
help with this situation. The DB2 format contains iteration pointers as
well as parent-child pointers; if the iteration pointers are corrupt,
lookups work but iteration does not. Dumping with the -recurse option
forces the use of the parent-child pointers for iteration.
> kdb5_util: Decrypt integrity check failed while converting b@REALM to
> new master key
> kdb5_util: Decrypt integrity check failed performing Kerberos version 5
> release 1.11 dump
> That account is involved in some automated testing. Dumps failed both
> before and after the account successfully changed its password and
> logged in. So the principal works, it just can't be dumped with
> mkey_convert. The whole database dumps fine without mkey_convert. I
> had two mkeys loaded in the database. I tried:
>
> sudo kdb5_util use_mkey 1
> sudo kdb5_util update_princ_encryption b@REALM
>
> and it converted just fine.
I don't have any good theories here. krb5_util dump -mkey_convert and
kdb5_util update_princ_encryption both use similar code paths to decrypt
the existing key entries
(src/kadmin/dbutil/dump.c:master_key_convert()), so it's strange that
one would fail and the other would succeed. There was a bug related to
the -keepold flag which we fixed in 1.13:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7995
but I would expect that problem to apply to update_princ_encryption, and
you didn't mention using the -keepold flag.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
