Error messages

Rick van Rein (OpenFortress) rick at openfortress.nl
Sat Oct 12 19:39:41 EDT 2013 

Hello,

>> Apperantly not all enctypes can function as master key, notably aes256-cts:normal cannot.
> 
> aes256-cts can definitely be used for the master key, and has been the default for the master key since 1.8.  Something else is going on here.

Thanks Greg -- with the string you supplied it does seem to work.

It does still fail when starting the KDC, with a log message "krb5kdc: Unable to decrypt latest master key with the provided master key
 - while fetching master keys list for realm" -- which of course should not be more informative on cryptographic grounds.

> I don't know if this is the problem, but the master key does not have a salt type.  If you wanted to specify aes256-cts as the master key type, you would just write "aes256-cts".

A few things that I am doing but feel unsure about:

* I seem to need to run "kdb5_util create" to construct a principal file with a random pool, even when running on an LDAP backend
* I create a master key and separate passwords for KDC and Kadmin with cat /dev/urandom | hexdump | head | openssl md5
* The master key is entered into "kdb5_util create /var/lib/kerberos/principal.`echo $REALM | tr A-Z a-z`"
* I then run "kdb5_ldap_util -s -D uid=root,$ROOTDN create -r $REALM" and have (in /etc/krb5.conf) ldap_kerberos_container_dn stored in a [dbmodules] entry appointed as the database_module in [dbdefaults]
* This asks for initialisation of the master database key /again/ which I fill with the same value as for "kdb5_util create"
* The LDAP entries are created as expected, according to ldapsearch
* I then run "kdb5_ldap_util stashpwd" twice; once to extract the KDC key and once to extract the Kadmin key
* These two runs each ask me for one of the strings generated in the second step
* I combine the retrieved KDC and Kadmin keys into one file appointed by (in /etc/krb5.conf) ldap_service_password_file in a [dbmodules] entry appointed as database_module in [dbdefaults].
* The KDC key is translated to 1008 bits (?), the Kadmin key is only mapped to hex (?!?)

As I said, I'm hesitant because I find it very hard to get into things given the Kerberos documentation.  Am I doing something that seems silly?

Thanks!
 -Rick

More information about the Kerberos mailing list