[2291] in Kerberos-V5-bugs
krb5-admin/58: kdb5_util load, et seq., messages may be misleading
daemon@ATHENA.MIT.EDU (John Hawkinson)
Fri Oct 4 17:44:39 1996
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: bjaspan@MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, John Hawkinson <jhawk@bbnplanet.com>
Date: Fri, 4 Oct 1996 17:43:02 -0400 (EDT)
From: John Hawkinson <jhawk@bbnplanet.com>
To: krb5-bugs@MIT.EDU
>Number: 58
>Category: krb5-admin
>Synopsis: kdb5_util load, et seq., messages may be misleading
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: bjaspan
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Oct e 17:44:00 EDT 1996
>Last-Modified:
>Originator: John Hawkinson
>Organization:
BBN Planet
>Release: beta-7
>Environment:
System: SunOS all-purpo 4.1.4 4 sun4m
Architecture: sun4
>Description:
Ted asked me to submit this as a PR. I spent some
nontrivial amount of time banging my head against a wall
this morning trying to move my krb5b5 database to krb5b7. Hopefully
this is clear -- if not please bug me.
Essentially there were confusion error messages and my lack
of sleep didn't help.
>How-To-Repeat:
Beta 5 was installed with --prefix=/krb5. Beta 7 with
--prefix=/usr/local/krb5.
I dumped the B5 database to /var/tmp/dump with kdb5_edit.
Initially, I attempted to load the database:
# kdb5_util load -old /var/tmp/dump
kdb5_util: Cannot find/read stored master key while initializing the kerberos context
load: cannot delete bad database /usr/local/krb5/lib/krb5kdc/principal~ (No such file or directory)
The second error doesn't seem to have a good reason for existing...
At this point I managed to conclude that it was necessary to "kdb5_util
create" the database before "kdb5_util load"-ing it. This produced
the following:
# kdb5_util create -s
Initializing database '/usr/local/krb5/lib/krb5kdc/principal' for realm 'BBNPLANET.NET',
master key name 'K/M@BBNPLANET.NET'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
# kdb5_util load -update -old /var/tmp/dump
# kadmin.local
kadmin.local: Decrypt integrity check failed while initializing kadmin.local interface
Because K/M is not consistent. I guess that error message is sane,
though specifying a bit more clearly might be better. I understood
it correctly.
At that point I tried a number of combinations of -update and load and
stashing the master key and trying to hack kdb5_util to read the
stashed key and failed miserably (should have gone to sleep, then).
Anyhow, I talked to Ted and it was clarified the problem was I needed
to:
# rm princ*
# cp /.k5.BBNPLANET.NET .
# kdb5_util load -old /var/tmp/dump
# kadmin.local
kadmin.local:
and things worked fine, rah, rah.
>Fix:
Umm, perhaps making the documentation a bit clearer on whether
"create" is a prerequisite for "load".
While we're at it, what's the deal with this:
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
Now, I deliberately forgget my Master Key. In fact, I generate it by
md5ing whatever's handy lying around and adding some random
characters. As far as I can tell there's no good reason to change this
practice...
Ummph.
--jhawk (still running since Thursday with no sleep...)
>Audit-Trail:
>Unformatted:
