Rolling the master key online
Greg Hudson
ghudson at mit.edu
Sat Sep 29 11:33:40 EDT 2018
On 09/28/2018 07:24 AM, John Devitofranceschi wrote:
>
> Are there any timing considerations when purging the old master key(s)?
>
> I experienced some problems after following the documented procedure (kadmind/kpropd not working, tickets not being issued) which I think might have been due running the ‘purge_mkeys' before the updated principals were propagated to the slaves after running the ‘update_princ_encryption’.
I was not aware of any issues like this. Please send a bug report to
krb5-bugs at mit.edu with as much details as you can reconstruct, including
the krb5 versions running on the KDCs, specific error messages, and the
sequence of operations performed. I will see if I can figure out what
might have gone wrong.
More information about the Kerberos
mailing list