Problem with db master password migrating kerberos server to new machine
Greg Hudson
ghudson at mit.edu
Thu Feb 9 00:18:32 EST 2017
On 02/08/2017 07:33 AM, Rainer Krienke wrote:
>> If you configure "master_key_enctype = des3-cbc-sha1" in the [realms]
>> subsection for your realm in kdc.conf (or krb5.conf), I believe it
>> should work again (in both versions). Alternatively, you could rotate
>> the master key by following this procedure:
>
> This solution did not work for me.
Many apologies; the actual variable name for this is "master_key_type".
Put it in kdc.conf, not both files. Putting a profile setting in both
krb5.conf and kdc.conf can have surprising results in some cases.
> The only thing I ask myself is, if the new encryption typed available in
> this new kerberos version (aes256-cts-hmac-sha1-96) could bite an older
> client that does not know anything about this enctype but wants to get a
> ticket from the server for a principal that has been encrypted with this
> new encryption-algorithm during the kdb5_util update_princ_encryption
> run, or if a new principal is created?
Master key encryption does not affect clients at all. The keys are
encrypted in the database and are decrypted by the program accessing it
(krb5kdc, kadmind, etc.).
More information about the Kerberos
mailing list