Deleting and re-creating the default krbtgt principal?
Greg Hudson
ghudson at mit.edu
Wed Jun 1 14:25:06 EDT 2016
On 06/01/2016 02:13 PM, Todd Grayson wrote:
> Is there any kind of guidance or rules of thumb around deleting and
> re-creating the default krbtgt principal for a KDC? I've not been able to
> find specific discussion on doing this, or what the requirements would be
> for properly re-creating the entry.
>
> The issue has to do with wanting to reset a number of values in the entry
> rather than using modprinc so many times over the entry.
>
> Or is this a "don't do it" kind of thing?
I would recommend against it. At best you would be invalidating all
existing TGTs; at worst you could get stuck in an uncoverable state,
with no way to access the KDC host or connect to kadmin.
You can make multiple modifications to an entry in a single modprinc
operation. Even if you make the modifications one at a time, I wouldn't
expect any problems from performing a dozen or so modprinc operations on
the same entry in quick succession.
More information about the Kerberos
mailing list