Migrating from b6 to 1.3.1 (without the a master key phrase)
Ken Hornstein
kenh at cmf.nrl.navy.mil
Wed Nov 12 21:23:26 EST 2003
>The kdb5_util code unfortunately does not allow you to change
>encryption key types when it changes the masetr key. It is a fairly
>simple change to the source to do this as a one-time hack, but it is
Hm. When I did that, my KDC failed to start. The reason was (after I
finally tracked it down) was that there's an assumption deep within the
admin server that the kadmin/history enctype matches the master key
enctype. I thought that this assumption still exists. Ah, yes, it does.
In krb5 1.3.1, lib/kadm5/srv/server_kdb.c, lines 178-179:
ret = krb5_dbe_find_enctype(handle->context, &hist_db,
handle->params.enctype, -1, -1, &key_data);
"params.enctype" in this case is the master key enctype. It wasn't
clear to me what the right answer was to this problem.
--Ken
More information about the Kerberos
mailing list