kdb5_util with -mkey_convert
Mike Friedman
mikef at ack.Berkeley.EDU
Sun Jun 23 17:46:33 EDT 2002
On Tue May 21 10:28:03 2002, Nicolas.Williams at ubsw.com said:
> Are you using different KDB master keys on the two hosts? That would explain
> the decrypt integrity check failure message from the KDC. If so then you
> must change the master key during dumping. There's a couple of undocumented
> options for this, -mkey_convert and -new_mkey_file <stash filename>.
Nico,
I'm about to upgrade my KDC, to new machines and from 1.2.1 to 1.2.5, so I
figured I'd try the above-mentioned undocumented option, to change my master
db key. After double-checking the syntax in the source code, I ran the
following:
kdb5_util dump -mkey_convert
After entering the new db password twice, I got a SEGV fault!
The database I tried this on was a copy of my production db. I had copied
the latest slave_datatrans from my 1.2.1 KDC to the 1.2.5 KDC and then
reloaded it. In fact, I also dumped and reloaded it again on 1.2.5 (just
to make sure the new policy dumping works). Then I tried the dump with
'-mkey_convert' and got the SEGV.
(My KDC is running on Solaris 8).
Has anyone tried the '-mkey_convert' option and gotten it to work? I have
no problem with dumps and reloads as long as I don't try to change the db key.
Thanks.
Mike
------------------------------------------------------------------------------
Mike Friedman System and Network Security
mikef at ack.Berkeley.EDU 2484 Shattuck Avenue
1-510-642-1410 University of California at Berkeley
http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu
------------------------------------------------------------------------------
More information about the Kerberos
mailing list