kdb5_util with -mkey_convert

Mike Friedman mikef at ack.Berkeley.EDU
Sun Jun 23 17:46:33 EDT 2002

On Tue May 21 10:28:03 2002, Nicolas.Williams at ubsw.com said:

> Are you using different KDB master keys on the two hosts? That would explain
> the decrypt integrity check failure message from the KDC. If so then you
> must change the master key during dumping. There's a couple of undocumented
> options for this, -mkey_convert and -new_mkey_file <stash filename>.


I'm about to upgrade my KDC, to new machines and from 1.2.1 to 1.2.5, so I
figured I'd try the above-mentioned undocumented option, to change my master
db key.  After double-checking the syntax in the source code, I ran the

   kdb5_util dump -mkey_convert

After entering the new db password twice, I got a SEGV fault!

The database I tried this on was a copy of my production db.  I had copied
the latest slave_datatrans from my 1.2.1 KDC to the 1.2.5 KDC and then
reloaded it.  In fact, I also dumped and reloaded it again on 1.2.5 (just
to make sure the new policy dumping works).  Then I tried the dump with
'-mkey_convert' and got the SEGV.

(My KDC is running on Solaris 8).

Has anyone tried the '-mkey_convert' option and gotten it to work?  I have
no problem with dumps and reloads as long as I don't try to change the db key.



Mike Friedman                             System and Network Security
mikef at ack.Berkeley.EDU                    2484 Shattuck Avenue
1-510-642-1410                            University of California at Berkeley
http://ack.Berkeley.EDU/~mikef            http://security.berkeley.edu

More information about the Kerberos mailing list