Default Kerberos database format

James F. Hranicky jfh at cise.ufl.edu
Mon May 10 10:38:53 EDT 2004


When I set up my realm, I followed the instructions at

	http://web.mit.edu/kerberos/krb5-1.3/krb5-1.3.3/doc/krb5-install.html#Propagate%20the%20Database%20to%20Each%20Slave%20KDC

(minus the -R to kdb5_util, which doesn't seem to be supported), using
a script similar to the one presented there. 

This weekend, I lost the disk containing my primary Kerberos information, so
I ran the kprop in reverse from kdc1 to kdc0 to re-create the database on
the master. Reading through the docs here, however, I see the indicate that
I should use the -ov flag:

	http://web.mit.edu/kerberos/krb5-1.3/krb5-1.3.3/doc/krb5-install.html#Switching%20Master%20and%20Slave%20KDCs

I didn't do that, however, my per-princ policy info seems intact:

    kadmin.local:  getprinc XXXXXXXX
    Principal: XXXXXXXX at CISE.UFL.EDU
    Expiration date: [never]
    Last password change: Tue Jan 13 12:53:33 EST 2004
    Password expiration date: [none]
    Maximum ticket life: 0 days 05:00:00
    Maximum renewable life: 7 days 00:00:00
    Last modified: Tue Jan 13 12:53:33 EST 2004 (kadmind at CISE.UFL.EDU)
    Last successful authentication: [never]
    Last failed authentication: [never]
    Failed password attempts: 0
    Number of keys: 2
    Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
    Key: vno 2, ArcFour with HMAC/md5, no salt
    Attributes: REQUIRES_PRE_AUTH
    Policy: defpol
    kadmin.local:  

So, have I lost some information, or is the default DB type now OV?

Should I change my cron job to include the "-ov" flag to kdb5_util?

Thanks,

----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
| E314D CSE Building                            Phone (352) 392-1499 |
| jfh at cise.ufl.edu                      http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------


More information about the Kerberos mailing list