Unable to access kdc after changing password

[Podrigal, Aron]

Thanks you
On Jun 19, 2015 4:19 PM, "Tom Yu" <tlyu at mit.edu> wrote:

> "Podrigal, Aron" <aronp at guaranteedplus.com> writes:
>
> > kadmin: change_password K/M
> > kadmin: quit
> >
> > Which should change the master password,  no?
> >
> > But now i can't seem to get access to the database
>
> The master key K/M is special and can't be changed in a useful way by
> using the kadmin change_password command.  It is probably a bug that you
> were able to run that command without getting an error.
>
> The following link describes the correct way to update the master key.
>
>
> http://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html#updating-the-master-key
>
> > # kdb5_util stash
> > kdb5_util: Unable to decrypt latest master key with the provided master
> key
> > while getting master key list
> > kdb5_util: Warning: proceeding without master key list
> > Enter KDC database master key:
> > kdb5_util: Unable to decrypt latest master key with the provided master
> key
> > while getting master key list
> > #
> >
> > As I understand the problem is that the key in keytab is no longer valid.
> > However providing the password on command line as shown above should
> work.
> > I'm confident that I didn't forget the  password :)
> >
> > Can anyone point me in the right direction? I seem to be missing some
> > general knowledge here. Any info would be greatly appreciated.
>
> The master key encrypts every key in the database, including itself.
> This fact is used by nearly every program that touches the database to
> verify the correctness of the master key as read from a stash file or
> the keyboard.  By running the change_password command on K/M, you
> changed the key stored in the K/M principal entry in the database, but
> it probably remained encrypted in the old master key, as did every other
> key in the database.
>
> Unfortunately, this situation is probably very difficult to recover
> without reloading a backup of the database.
>
> -Tom
>