[39132] in Kerberos
Re: kadmin not working after server migration, but kdc works
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Tue Sep 20 17:25:19 2022
Message-ID: <202209202121.28KLLcPI014123@hedwig.cmf.nrl.navy.mil>
To: Wouter Verhelst <w@uter.be>
cc: kerberos@mit.edu
In-Reply-To: <Yyn8l/Qed7tgqZqU@pc220518.home.grep.be>
MIME-Version: 1.0
Date: Tue, 20 Sep 2022 17:21:38 -0400
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>> This is one of our worst error messages (see
>> https://krbdev.mit.edu/rt/Ticket/Display.html?id=8247 ).
>
>Yeah, no kidding. I actually looked at the source a while ago to try and
>figure out what was happening, but no luck; the location where the error
>message is printed has absolutely no link anymore with the location
>where the error occurs...
"Back in the day" I kept a build of MIT Kerberos with full debugging
symbols around, so I could use a debugger to trace down the source
of weird errors like this (things are much better now, but you still
run into these issues occasionally).
> fcc-mit-ticketflags = true
This seems like a Heimdal-specific configuration entry, FWIW.
Russ already explained that this is probably a problem with your kdc.conf
file, so I'd start there.
>It might be that I haven't properly migrated it from single-DES to more
>modern enctypes; is this something I would be able to see if I looked at
>a dump of the database? If so, how would I go about that, and can I
>still fix this?
Look at the manpage for kdb5_util, specifically the "tabdump" subcommand.
You can easily get a list of encryption types for all principals. The only
tricky principals to change the key of are the master key (see the procedure
in the MIT documentation) and the kadmin password history key (well, that is
straightforward, but you invalidate all password histories).
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
