Changing master key (Kerberos authentication server+LDAP database)

Simo Sorce simo at redhat.com
Wed Jul 27 09:36:49 EDT 2011


On Wed, 2011-07-27 at 05:28 -0700, Anubha Gupta wrote:
> Is it possible to change the master key of a realm when LDAP is used
> as the database server? The stash file is not present since LDAP is
> used. Appreciate any help on this.

The standard kldap driver still uses the stash file to hold the master
key as far as I know.

you can use kdb5_dump to dump and change the passwords and load them
back with older releases. In 1.9 it should be possible to change keys
while keeping the database online by storing both the old and the new
master key in the new keytab format stash file.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York




More information about the Kerberos mailing list