Problem with db master password migrating kerberos server to new machine

Greg Hudson ghudson at mit.edu
Tue Feb 7 10:54:24 EST 2017


On 02/07/2017 03:17 AM, Rainer Krienke wrote:
> Afterwards I am able to run kamin.local and can eg list all the
> principals. However I am unable to login using kamin.local -m  using my
> database master password which works on server A.

The default master key type changed from des3-cbc-sha1 to aes256-cts in
release 1.9.  Unfortunately, we are not as friendly about the master key
enctype as we could be, due to this issue:

http://krbdev.mit.edu/rt/Ticket/Display.html?id=6641

If you configure "master_key_enctype = des3-cbc-sha1" in the [realms]
subsection for your realm in kdc.conf (or krb5.conf), I believe it
should work again (in both versions).  Alternatively, you could rotate
the master key by following this procedure:

http://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html?highlight=master#updating-the-master-key

I am curious why you sometimes use the typed-in master key password when
you have a stash file.


More information about the Kerberos mailing list