Propagate MIT Database to Heimdal?
ms419@freezone.co.uk
ms419 at freezone.co.uk
Sun Oct 17 18:09:12 EDT 2004
We are trying to propagate our Kerberos database from MIT to Heimdal.
As I understand it, our problem is that our MIT database is encrypted
with an MIT master key, but the Heimdal tools - kadmin & kinit -
require a database encrypted with a Heimdal master key.
I assume our MIT master key is des3-hmac-sha1:
kdc.conf: master_key_type = des3-hmac-sha1
& our Heimdal master key is des-cbc-crc:
kdc.conf: #master_key_type = des-cbc-crc
Both MIT tools - kdb5_utils - & Heimdal tools - hprop - sport options
to convert the database, but either they don't work, or I am using them
incorrectly.
Henry on the Heimdal list suggested dumping the MIT database
unencrypted, but I haven't found an option to do this.
I tried using kdb5_util -mkey_convert -new_mkey_file & our Heimdal
master key to re-encrypt the database:
fis:~# kstash
Master key:
Verifying - Master key:
kstash: writing key to `/var/lib/heimdal-kdc/m-key'
fis:~# scp /var/lib/heimdal-kdc/m-key tor:
root at tor's password:
fis:~# ssh tor kdb5_util dump -b7 -mkey_convert -new_mkey_file m-key >
datatrans
root at tor's password:
dump: Stored master key is corrupted while reading new master key
& I can't figure out how to create an MIT des-cbc-crc master key, for
use with kdb5_util -mkey_convert -new_mkey_file.
I tried using hprop -m & our MIT master key to decrypt the database:
fis:~# ssh tor kdb5_util dump -b7 > datatrans
root at tor's password:
fis:~# scp tor:/etc/krb5kdc/stash .
root at tor's password:
fis:~# hprop -m stash -d datatrans --source=mit-dump -n | hpropd -n
fis:~# kadmin -l
kadmin> list *
kadmin: get host/fis.lat at LAT: No correct master key
kadmin: get host/tor.lat at LAT: No correct master key
kadmin: get imap/tor.lat at LAT: No correct master key
[...]
I also tried using hprop -m & our Heimdal master key to decrypt the
database, with identical results:
fis:~# hprop -m /var/lib/heimdal-kdc/m-key -d datatrans
--source=mit-dump -n | hpropd -n
fis:~# kadmin -l
kadmin> list *
kadmin: get host/fis.lat at LAT: No correct master key
kadmin: get host/tor.lat at LAT: No correct master key
kadmin: get imap/tor.lat at LAT: No correct master key
[...]
& I tried creating a Heimdal des3-hmac-sha1 master key, for use with
hprop -m:
fis:~# kstash -e des3-hmac-sha1
kstash: krb5_string_to_enctype: encryption type des3-hmac-sha1 not
supported
Can MIT dump the database in an unencrypted format? Can MIT re-encrypt
the database with a des-cbc-crc master key? Can MIT re-encrypt the
database with a Heimdal master key?
Any suggestions how to propagate our database to Heimdal much
appreciated!
Many thanks,
Jack
More information about the Kerberos
mailing list