Problem with db master password migrating kerberos server to new machine

Rainer Krienke krienke at uni-koblenz.de
Tue Feb 7 07:16:06 EST 2017


Hello,

just a quick update:

in between I also tried the official upgrade path for kerberos:

https://web.mit.edu/kerberos/krb5-1.3/krb5-1.3.6/doc/krb5-install.html#Upgrading%20Existing%20Kerberos%20V5%20Installations

This procedure leads to the very same problem on machine B. kadmin.local
works, kadmin.local -m <password> does not work.

I tried the same procedure but in this case the new destination machine
"B" had the very same kerberos version and the same linux installation
just like machine A. In this case this official upgrade path by
exporting and importing principals works just as expected so that
kadmin.local -m <passwords> is ok.

So it seems like the krb version switch causes this problem. Is there
perhaps something more that has to be done... ?

Thanks
Rainer

Am 07.02.2017 um 09:17 schrieb Rainer Krienke:
> Hello,
> 
> I run a linux machine A with SuSE SLES11SP4 with a working kerberos
> server (version 1.6.3) and want to migrate this server to a new linux
> SLES12SP2 machine B where the kerberos installation  (version 1.12.5) is
> a little more recent.
> 
> I tried to tar the whole stuff in /var/lib/kerberos/krb5kdc on machine A
> and then extract it on machine B. Part of this tar is also the stash
> file. /etc/krb5.conf is identical on both machines
> 
> Afterwards I am able to run kamin.local and can eg list all the
> principals. However I am unable to login using kamin.local -m  using my
> database master password which works on server A. I see the following
> error message if I try on machine B:
> 
> kadmin.local: Unable to decrypt latest master key with the provided
> master key  while initializing kadmin.local interface
> 
> Does anyone know why it could not be working, or what I have to do to
> get it working again? I do not understand this at the moment. What else
> aside from the original db password and the principals could this login
> depend on?
> 
> Thanks a lot for any help
> Rainer
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 


-- 
Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1
56070 Koblenz, Tel: +49261287 1312 Fax +49261287 100 1312
Web: http://userpages.uni-koblenz.de/~krienke
PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5109 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20170207/ed3ae118/attachment-0001.bin


More information about the Kerberos mailing list