Default Kerberos database format
James F. Hranicky
jfh at cise.ufl.edu
Mon May 10 10:38:53 EDT 2004
When I set up my realm, I followed the instructions at
http://web.mit.edu/kerberos/krb5-1.3/krb5-1.3.3/doc/krb5-install.html#Propagate%20the%20Database%20to%20Each%20Slave%20KDC
(minus the -R to kdb5_util, which doesn't seem to be supported), using
a script similar to the one presented there.
This weekend, I lost the disk containing my primary Kerberos information, so
I ran the kprop in reverse from kdc1 to kdc0 to re-create the database on
the master. Reading through the docs here, however, I see the indicate that
I should use the -ov flag:
http://web.mit.edu/kerberos/krb5-1.3/krb5-1.3.3/doc/krb5-install.html#Switching%20Master%20and%20Slave%20KDCs
I didn't do that, however, my per-princ policy info seems intact:
kadmin.local: getprinc XXXXXXXX
Principal: XXXXXXXX at CISE.UFL.EDU
Expiration date: [never]
Last password change: Tue Jan 13 12:53:33 EST 2004
Password expiration date: [none]
Maximum ticket life: 0 days 05:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Jan 13 12:53:33 EST 2004 (kadmind at CISE.UFL.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 2, ArcFour with HMAC/md5, no salt
Attributes: REQUIRES_PRE_AUTH
Policy: defpol
kadmin.local:
So, have I lost some information, or is the default DB type now OV?
Should I change my cron job to include the "-ov" flag to kdb5_util?
Thanks,
----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin UF/CISE Department |
| E314D CSE Building Phone (352) 392-1499 |
| jfh at cise.ufl.edu http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------
More information about the Kerberos
mailing list