[15912] in Kerberos_V5_Development
Re: Master key migration and the stash command
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jun 21 17:08:01 2010
From: Greg Hudson <ghudson@mit.edu>
To: Will Fiveash <will.fiveash@oracle.com>
In-Reply-To: <20100614195803.GA24535@sun.com>
Date: Mon, 21 Jun 2010 17:07:57 -0400
Message-ID: <1277154477.12977.252.camel@ray>
Mime-Version: 1.0
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Mon, 2010-06-14 at 15:58 -0400, Will Fiveash wrote:
> Is this something that should be revisited for the 1.9 release? Note
> that the lack of a stash command in the kdb5_ldap_util is an issue for
> some as well.
I fixed "kdb5_util stash" to work against LDAP databases; it was a very
simple bug. I tagged the fix for 1.8.3; it could also go easily into
releases as early as (I think) 1.6.
Possible remaining improvements include:
* Make it possible to use "kdb5_util stash" before a KDB exists, and
make "kdb5_util create" recognize and use the stash file. I'm no longer
sure this is worth the effort. It would make the creation of slave KDCs
appear slightly more elegant in some deployment scenarios, but not
actually any more correct (the initial KDB contents are overwritten by
the kdb5_util load regardless). It might also be more work than I had
anticipated.
* When the KDB is present but a valid stash file is not, make
"kdb5_util stash" examine the K/M record to deduce the master key type.
This is not completely trivial to implement, and only helps in uncommon
deployment scenarios, so I will defer it for now.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev