Recovering from a removed master key
Greg Hudson
ghudson at mit.edu
Wed Feb 18 18:31:08 EST 2015
On 02/18/2015 05:49 PM, Charles Adams wrote:
> slave1# kdb5_util dump -ov -verbose ~/kerbmaster-ov K/M at MY.REALM.ORG
> slave1# kdb5_util dump -verbose ~/kerbmaster K/M at MY.REALM.ORG
I don't think there's ever much call to use dump -ov today, although the
documentation was unclear on that point until recently. That's a side
point.
> master# kdb5_util load -verbose -update ~/kerbmaster
I would expect this to work, and it works for me if I reproduce your
situation in a test realm:
$ make testrealm
[...]
$ kdb5_util dump testdir/dump K/M at KRBTEST.COM
$ kadmin.local -q 'delprinc -force K/M' # XXX DO NOT DO THIS
$ kinit user # (this works as long as the KDC is still running)
$ kadmin.local # (fails with "Cannot find master key record")
$ pkill krb5kdc
$ krb5kdc # (fails with "cannot initialize realm")
$ kdb5_util load -update testdir/dump
$ krb5kdc # (succeeds)
$ kinit user # (succeeds)
$ kadmin.local # (succeeds)
Just be very careful not to forget the -update flag, or you'll wind up
with a KDB with only K/M in it.
More information about the Kerberos
mailing list