Changing the master key

John Devitofranceschi jdvf at optonline.net
Sat May 21 10:28:21 EDT 2011


	

We've run into a situation with MIT Kerberos 1.8.2 where the master key has been changed and yet the slave kdc's are still reporting that the original master key is being used on new principals.

Slave kdc updates are happening via iprop.

The master kdc is behaving as expected, and all new principals report using the new mkey vno.

On the master and all slave kdc's, "kdb5_util -list_mkeys" shows that the new mkey vno is active master key. 

I have no idea what steps were used to change the master key (not my infra) and I'm wondering if this situation can be fixed.

I've searched for a "Dummies Guide to Changing your MKey" but I've only found bits and pieces here and there with no real indication of how slaves enter into the picture.  Should they be recreated from scratch once the master is changed?

Any pointers or help appreciated!

jd




More information about the Kerberos mailing list