Propagate MIT Database to Heimdal?

ms419@freezone.co.uk ms419 at freezone.co.uk
Sun Oct 17 18:09:12 EDT 2004


We are trying to propagate our Kerberos database from MIT to Heimdal. 
As I understand it, our problem is that our MIT database is encrypted 
with an MIT master key, but the Heimdal tools - kadmin & kinit - 
require a database encrypted with a Heimdal master key.

I assume our MIT master key is des3-hmac-sha1:

	kdc.conf: master_key_type = des3-hmac-sha1

& our Heimdal master key is des-cbc-crc:

	kdc.conf: #master_key_type = des-cbc-crc

Both MIT tools - kdb5_utils - & Heimdal tools - hprop - sport options 
to convert the database, but either they don't work, or I am using them 
incorrectly.

Henry on the Heimdal list suggested dumping the MIT database 
unencrypted, but I haven't found an option to do this.

I tried using kdb5_util -mkey_convert -new_mkey_file & our Heimdal 
master key to re-encrypt the database:

	fis:~# kstash
	Master key:
	Verifying - Master key:
	kstash: writing key to `/var/lib/heimdal-kdc/m-key'
	fis:~# scp /var/lib/heimdal-kdc/m-key tor:
	root at tor's password:
	fis:~# ssh tor kdb5_util dump -b7 -mkey_convert -new_mkey_file m-key > 
datatrans
	root at tor's password:
	dump: Stored master key is corrupted while reading new master key

& I can't figure out how to create an MIT des-cbc-crc master key, for 
use with kdb5_util -mkey_convert -new_mkey_file.

I tried using hprop -m & our MIT master key to decrypt the database:

	fis:~# ssh tor kdb5_util dump -b7 > datatrans
	root at tor's password:
	fis:~# scp tor:/etc/krb5kdc/stash .
	root at tor's password:
	fis:~# hprop -m stash -d datatrans --source=mit-dump -n | hpropd -n
	fis:~# kadmin -l
	kadmin> list *
	kadmin: get host/fis.lat at LAT: No correct master key
	kadmin: get host/tor.lat at LAT: No correct master key
	kadmin: get imap/tor.lat at LAT: No correct master key
	[...]

I also tried using hprop -m & our Heimdal master key to decrypt the 
database, with identical results:

	fis:~# hprop -m /var/lib/heimdal-kdc/m-key -d datatrans 
--source=mit-dump -n | hpropd -n
	fis:~# kadmin -l
	kadmin> list *
	kadmin: get host/fis.lat at LAT: No correct master key
	kadmin: get host/tor.lat at LAT: No correct master key
	kadmin: get imap/tor.lat at LAT: No correct master key
	[...]

& I tried creating a Heimdal des3-hmac-sha1 master key, for use with 
hprop -m:

	fis:~# kstash -e des3-hmac-sha1
	kstash: krb5_string_to_enctype: encryption type des3-hmac-sha1 not 
supported

Can MIT dump the database in an unencrypted format? Can MIT re-encrypt 
the database with a des-cbc-crc master key? Can MIT re-encrypt the 
database with a Heimdal master key?

Any suggestions how to propagate our database to Heimdal much 
appreciated!

Many thanks,

Jack



More information about the Kerberos mailing list