Deleting and re-creating the default krbtgt principal?
Todd Grayson
tgrayson at cloudera.com
Wed Jun 1 21:30:58 EDT 2016
Thanks Greg! I also found this procedure, we'll use modprinc on the other
actual user/service principals, and then follow this for modifying the
krbtgt.
http://web.mit.edu/kerberos/krb5-1.13/doc/admin/database.html#changing-krbtgt-key
On Wed, Jun 1, 2016 at 12:25 PM, Greg Hudson <ghudson at mit.edu> wrote:
> On 06/01/2016 02:13 PM, Todd Grayson wrote:
> > Is there any kind of guidance or rules of thumb around deleting and
> > re-creating the default krbtgt principal for a KDC? I've not been able
> to
> > find specific discussion on doing this, or what the requirements would be
> > for properly re-creating the entry.
> >
> > The issue has to do with wanting to reset a number of values in the entry
> > rather than using modprinc so many times over the entry.
> >
> > Or is this a "don't do it" kind of thing?
>
> I would recommend against it. At best you would be invalidating all
> existing TGTs; at worst you could get stuck in an uncoverable state,
> with no way to access the KDC host or connect to kadmin.
>
> You can make multiple modifications to an entry in a single modprinc
> operation. Even if you make the modifications one at a time, I wouldn't
> expect any problems from performing a dozen or so modprinc operations on
> the same entry in quick succession.
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
More information about the Kerberos
mailing list