Changing password for a principal reverts master key used
David Shrimpton
d.shrimpton at its.uq.edu.au
Thu Aug 1 03:35:36 EDT 2013
On Thu, 1 Aug 2013, Greg Hudson wrote:
> On 07/31/2013 01:11 AM, David Shrimpton wrote:
> > KNVO: 2, Enctype: aes256-cts-hmac-sha1-96, Active on: Wed Jul 31 14:45:32 EST 2013 *
> > KNVO: 1, Enctype: des-cbc-crc, Active on: Wed Jul 31 14:45:32 EST 2013
>
> This is a weird state. Both master keys have the same "Active on" time,
> and they are both in the future (as of when you sent the message). I
> can't easily get into that state in a test environment:
>
> $ kdb5_util use_mkey 1 2013-08-01
> kdb5_util: Invalid argument there must be one master key currently active
>
> So, I'm curious how you got into that state. Perhaps there is a bug
> involved with that sequence of events.
The problem went away on a restart of the kdc.
It seems that the kdb5_util add_mkey shouldn't be done on a running server
or the server should be restarted after doing an add_mkey.
The 'Active on:' time still displays as the current time for both Mkey's.
This was also the case before doing add_mkey and was the same on another
installation.
David
More information about the Kerberos
mailing list