[3107] in Kerberos-V5-bugs
krb5-kdc/748: can a krb5 realm be renamed?
daemon@ATHENA.MIT.EDU (David J. MacKenzie)
Thu Sep 9 12:05:07 1999
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, djm@web.us.uu.net
Message-Id: <MAA24549.199909091604@catapult.web.us.uu.net>
Date: Thu, 9 Sep 1999 12:04:05 -0400 (EDT)
From: djm@web.us.uu.net (David J. MacKenzie)
Reply-To: djm@web.us.uu.net
To: krb5-bugs@MIT.EDU
Cc: djm@web.us.uu.net
>Number: 748
>Category: krb5-kdc
>Synopsis: I can't figure out how to rename a realm in a KDC
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: support
>Submitter-Id: unknown
>Arrival-Date: Thu Sep 09 12:05:01 EDT 1999
>Last-Modified:
>Originator: David MacKenzie
>Organization:
UUNET Technologies
>Release: krb5-1.0.5
>Environment:
System: BSD/OS catapult.web.us.uu.net 4.0.1 BSDI BSD/OS 4.0.1 Kernel #7: Fri Apr 16 17:29:04 EDT 1999 lidl@enniskillen.eng.us.uu.net:/usr/src/bsdi/sys/compile/DESKTOP i386
>Description:
I'd like to change the name of a realm without invalidating all of
the principals in it. Nothing I've tried so far has worked.
I'm trying to rename realm VA.PUBNIX.COM to WEB.WCOM.NET.
>How-To-Repeat:
I used kdb5_util dump, changed the realm name
in the ASCII dump file (and its length field) with sed.
root@keymaster 1 $ kdb5_util -r VA.PUBNIX.COM dump /var/tmp/kdc.web
root@keymaster 2 $ sed s/VA.PUBNIX.COM/WEB.WCOM.NET/g /var/tmp/kdc.dump |
awk '/^princ/ { $3--; print} /^kdb5_util/ { print}' > /var/tmp/kdc.web.adj
The first approach I tried for creating a database is to load the
whole dump, master key and all, into an empty database on a
different host:
root@agamemnon 278 $ kdb5_util -r WEB.WCOM.NET load /var/tmp/kdc.web.adj
root@agamemnon 279 $ kdb5_util -m stash
Enter KDC database master key:
kdb5_util: Decrypt integrity check failed while verifying master key
Oops. Can't create the key stash file .k5.WEB.WCOM.NET. I'm not sure
why. Try the old one?
root@agamemnon 280 $ cp .k5.VA.PUBNIX.COM .k5.WEB.WCOM.NET
root@agamemnon 282 $ skill -y krb5kdc
root@agamemnon 283 $ /usr/local/krb5/libexec/krb5kdc
krb5kdc: cannot initialize realm WEB.WCOM.NET
Sep 3 20:51:44 agamemnon krb5kdc[6728]: Server not found in Kerberos database \
- while fetching TGS entry for realm WEB.WCOM.NET
Didn't think that would work.
root@agamemnon 287 $ rm .k5.WEB.WCOM.NET
Okay, the second approach is to create a fresh database and leave the
default entries in it:
root@agamemnon 289 $ \rm princ*
root@agamemnon 290 $ kdb5_util -r WEB.WCOM.NET create -s
Initializing database '/opt/krb5/krb5kdc/principal' for realm 'WEB.WCOM.NET',
master key name 'K/M@WEB.WCOM.NET'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
root@agamemnon 291 $ kadmin.local
kadmin.local: listprincs
krbtgt/WEB.WCOM.NET@WEB.WCOM.NET
kadmin/admin@WEB.WCOM.NET
kadmin/changepw@WEB.WCOM.NET
kadmin/history@WEB.WCOM.NET
K/M@WEB.WCOM.NET
Then merge in the other entries from the existing realm dump, having
removed the above entries from the existing realm dump first.
root@agamemnon 299 $ kdb5_util -r WEB.WCOM.NET load -update /var/tmp/kdc.web.ad\
j.less
root@agamemnon 301 $ /usr/local/krb5/libexec/krb5kdc
root@agamemnon 302 $ kinit djm/root@WEB.WCOM.NET
Password for djm/root@WEB.WCOM.NET:
kinit: Password incorrect
root@agamemnon 304 $ kinit djm@WEB.WCOM.NET
Password for djm@WEB.WCOM.NET:
kinit: Password incorrect
Sep 3 20:59:23 agamemnon krb5kdc[6748]: AS_REQ 208.211.134.61(88): DECRYPT_CLI\
ENT_KEY: djm/root@WEB.WCOM.NET for krbtgt/WEB.WCOM.NET@WEB.WCOM.NET, Decrypt in\
tegrity check failed
Sep 3 20:59:28 agamemnon krb5kdc[6748]: AS_REQ 208.211.134.61(88): DECRYPT_CLI\
ENT_KEY: djm@WEB.WCOM.NET for krbtgt/WEB.WCOM.NET@WEB.WCOM.NET, Decrypt integri\
ty check failed
I also tried manually merging the existing realm dump with a dump from the
newly created database, and loading those without -update. Same results.
I also discovered that "strings" of the new .db file contains many
references to VA.PUBNIX.COM, even though the dump file from which it
was built does not, in plaintext. I suppose it's the principal that
created and/or last modified each record.
Now I'm out of ideas.
>Fix:
>Audit-Trail:
>Unformatted:
