Problem with db master password migrating kerberos server to new machine
Greg Hudson
ghudson at mit.edu
Tue Feb 7 10:54:24 EST 2017
On 02/07/2017 03:17 AM, Rainer Krienke wrote:
> Afterwards I am able to run kamin.local and can eg list all the
> principals. However I am unable to login using kamin.local -m using my
> database master password which works on server A.
The default master key type changed from des3-cbc-sha1 to aes256-cts in
release 1.9. Unfortunately, we are not as friendly about the master key
enctype as we could be, due to this issue:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=6641
If you configure "master_key_enctype = des3-cbc-sha1" in the [realms]
subsection for your realm in kdc.conf (or krb5.conf), I believe it
should work again (in both versions). Alternatively, you could rotate
the master key by following this procedure:
http://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html?highlight=master#updating-the-master-key
I am curious why you sometimes use the typed-in master key password when
you have a stash file.
More information about the Kerberos
mailing list