Deleting and re-creating the default krbtgt principal?

Greg Hudson ghudson at mit.edu
Wed Jun 1 14:25:06 EDT 2016


On 06/01/2016 02:13 PM, Todd Grayson wrote:
> Is there any kind of guidance or rules of thumb around deleting and
> re-creating the default krbtgt principal for a KDC?  I've not been able to
> find specific discussion on doing this, or what the requirements would be
> for properly re-creating the entry.
> 
> The issue has to do with wanting to reset a number of values in the entry
> rather than using modprinc so many times over the entry.
> 
> Or is this a "don't do it" kind of thing?

I would recommend against it.  At best you would be invalidating all
existing TGTs; at worst you could get stuck in an uncoverable state,
with no way to access the KDC host or connect to kadmin.

You can make multiple modifications to an entry in a single modprinc
operation.  Even if you make the modifications one at a time, I wouldn't
expect any problems from performing a dozen or so modprinc operations on
the same entry in quick succession.


More information about the Kerberos mailing list