[krbdev.mit.edu #8651] kinit -kt KDB: Cannot find/read stored master key
Richard Basch via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Sat Mar 17 21:36:38 EDT 2018
I have found automated jobs that are executed on a KDC using "kinit -kt KDB:" may sometimes fail with:
kinit: Cannot find/read stored master key while setting up KDB key tab for realm XXX
However,if the script is retried, it invariably works. I suspect there is a transient locking condition which may sporadically cause a failure. The k5stash file path is local and the “ctime†has not changed anytime within the intervals of the run.
FYI - KDB: offers a great way to authenticate using a Kerberos-internal principal (e.g. kadmin/admin) to prove it is the KDC infrastructure, without having to create secondary files which can be copied out-of-band or for which their distribution cannot be deterministically sync’d with respect to Kerberos iprop propagation. For most use-cases, I prefer keytabs but to prove Kerberos infrastructure identity, I prefer not to create extra keytabs and to rotate the keys aggressively to mitigate impact from any unauthorized extraction of Kerberos’ keys.
More information about the krb5-bugs
mailing list