Rolling the master key online
John Devitofranceschi
jdvf at optonline.net
Fri Sep 28 07:24:23 EDT 2018
Are there any timing considerations when purging the old master key(s)?
I experienced some problems after following the documented procedure (kadmind/kpropd not working, tickets not being issued) which I think might have been due running the ‘purge_mkeys' before the updated principals were propagated to the slaves after running the ‘update_princ_encryption’.
I had to restart kadmind, krb5kdc, and kpropd to get things working again.
Also, after running ‘kdb5_util stash’ on the slave, the old key is preserved in the stash file, but on the master ‘kdb5_util add_mkey -s’ clobbers the old key.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2393 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20180928/24f9fd23/attachment.bin
More information about the Kerberos
mailing list