Merge Databases, can't dump -mkey_convert principal

[Eric Hattemer]

We have a production Kerberos cluster, and a test cluster.  I'd like to
refresh test from production without overwriting those principals that
are specific to test.  We also have something wrong with our production
master database where it will respond to 'kdb5_util dump -verbose'
commands by either hanging or looping.  Generally speaking, everything
works fine, it's just that the database (which is 20 years old) cannot
be dumped.  So eventually I'd like to copy the prod database over to
test and figure out what's wrong with it.

The prod and test databases have different master keys at the moment.  I
thought what I would do is dump all the test-specific principals with
'-mkey_convert' to the prod master password.  But that's currently where
I'm stuck.  If I run:

sudo kdb5_util dump -verbose -mkey_convert -k aes256-cts-hmac-sha1-96

it runs for a few hundred accounts, then stops at one specific principal:

kdb5_util: Decrypt integrity check failed while converting b at REALM to
new master key
kdb5_util: Decrypt integrity check failed performing Kerberos version 5
release 1.11 dump

If I limit the dump to just b at REALM, it fails immediately with the same
error.

That account is involved in some automated testing.  Dumps failed both
before and after the account successfully changed its password and
logged in.  So the principal works, it just can't be dumped with
mkey_convert.  The whole database dumps fine without mkey_convert.  I
had two mkeys loaded in the database.  I tried:

sudo kdb5_util use_mkey 1
sudo kdb5_util update_princ_encryption b at REALM

and it converted just fine.

I'm probably going to create a third environment that doesn't need the
test principals in it.  But I'm just wondering if there's a solution to
the principal that works for the user but can't be dumped with a new key.

-- 
--
Eric Hattemer
Engineer
Identity and Access Management