"kdb5_util load -update" best practice

John Devitofranceschi jdvf at optonline.net
Sat Sep 22 09:44:41 EDT 2018


This week about 100 host and other service principals were deleted by mistake, rendering the owning systems and services unusable.

In order to remedy this, we tried using a pre-mistake backup (dump format) of the kdb to restore the principals:

    kdb5_util load -update dumpfile principal 

However this did not work. This is what’s documented in the MIT docs.  We were expecting to be able to run this once per missing principal.

So instead we loaded the backup dump into a temporary kdb and extracted the missing principals into a separate dump file:

    kdb5_util -d tempKDB load dumpfile
    kdb5_util -d tempKDB dump missing-princs-dumpfile princ1 princ2 … princN

 and ran this:

    kdb5_util load -update missing-princs-dumpfile

which worked. Systems restored; drinks all ‘round.

Questions:

Is there any easier way to do this?

When when loaded the missing principals, we shut down kadmind. Was this necessary? Or will kdb5_util lock the KDB properly when loading? We were worried about potential corruption if the KDB was not in a quiescent state.

When the missing principals were being added, the load process also reported that it added polices.  Why did it do that? If the policies are already there, is this a no-op?

We’re using MIT Kerberos 1.13.2, by the way.

jd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2393 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20180922/c7daaa57/attachment.bin


More information about the Kerberos mailing list