Merge Databases, can't dump -mkey_convert principal

[Greg Hudson]

(Sorry for the slow response.)

On 10/01/2018 08:54 PM, Eric Hattemer wrote:
> We have a production Kerberos cluster, and a test cluster.  I'd like to
> refresh test from production without overwriting those principals that
> are specific to test.  We also have something wrong with our production
> master database where it will respond to 'kdb5_util dump -verbose'
> commands by either hanging or looping.

Release 1.15 added (well, re-added) "kdb5_util dump -recurse" which can 
help with this situation.  The DB2 format contains iteration pointers as 
well as parent-child pointers; if the iteration pointers are corrupt, 
lookups work but iteration does not.  Dumping with the -recurse option 
forces the use of the parent-child pointers for iteration.

> kdb5_util: Decrypt integrity check failed while converting b at REALM to
> new master key
> kdb5_util: Decrypt integrity check failed performing Kerberos version 5
> release 1.11 dump

> That account is involved in some automated testing.  Dumps failed both
> before and after the account successfully changed its password and
> logged in.  So the principal works, it just can't be dumped with
> mkey_convert.  The whole database dumps fine without mkey_convert.  I
> had two mkeys loaded in the database.  I tried:
> 
> sudo kdb5_util use_mkey 1
> sudo kdb5_util update_princ_encryption b at REALM
> 
> and it converted just fine.

I don't have any good theories here.  krb5_util dump -mkey_convert and 
kdb5_util update_princ_encryption both use similar code paths to decrypt 
the existing key entries 
(src/kadmin/dbutil/dump.c:master_key_convert()), so it's strange that 
one would fail and the other would succeed.  There was a bug related to 
the -keepold flag which we fixed in 1.13:

http://krbdev.mit.edu/rt/Ticket/Display.html?id=7995

but I would expect that problem to apply to update_princ_encryption, and 
you didn't mention using the -keepold flag.