Changing password for a principal reverts master key used

David Shrimpton d.shrimpton at its.uq.edu.au
Thu Aug 1 03:35:36 EDT 2013


On Thu, 1 Aug 2013, Greg Hudson wrote:

> On 07/31/2013 01:11 AM, David Shrimpton wrote:
> > KNVO: 2, Enctype: aes256-cts-hmac-sha1-96, Active on: Wed Jul 31 14:45:32 EST 2013 *
> > KNVO: 1, Enctype: des-cbc-crc, Active on: Wed Jul 31 14:45:32 EST 2013
> 
> This is a weird state.  Both master keys have the same "Active on" time,
> and they are both in the future (as of when you sent the message).  I
> can't easily get into that state in a test environment:
> 
>   $ kdb5_util use_mkey 1 2013-08-01
>   kdb5_util: Invalid argument there must be one master key currently active
> 
> So, I'm curious how you got into that state.  Perhaps there is a bug
> involved with that sequence of events.

The problem went away on a restart of the kdc.

It seems that the kdb5_util add_mkey shouldn't be done on  a running server
or the server should be restarted after doing an add_mkey.

The 'Active on:' time still displays as the current time for both Mkey's.
This was also the case before doing add_mkey and was the same on another
installation.

David


More information about the Kerberos mailing list