MIT Kerberos Master principal deletion

Chris Hecker checker at d6.com
Thu Jun 11 18:19:39 EDT 2020


Maybe dump the core of the running process so you don't accidentally 
crash it while trying to debug it live?  But that would make finding it 
in memory even harder...

Chris


------ Original Message ------
From: "Nico Williams" <nico at cryptonector.com>
To: "Harshawardhan Kulkarni" <harshawardhan.rk at gmail.com>
Cc: "kerberos at mit.edu" <kerberos at mit.edu>
Sent: 2020-06-11 15:05:19
Subject: Re: MIT Kerberos Master principal deletion

>On Thu, Jun 11, 2020 at 03:32:35AM +0100, Harshawardhan Kulkarni wrote:
>>  I basically need an advice on an ongoing issue I am currently stuck on.
>>
>>  We have a Kerberised Hadoop Cloudera Custer. KDC Admin server is on one of
>>  the nodes. We don't have a failover node for KDC server yet. On the KDC
>>  admin server while doing a clean up activity for unwanted kdc principals, I
>>  deleted the master key principal (K/M at REALM.COM) We never took a kdc dump
>>  of the master key. So we don't have a backup to restore from.
>>
>>  Is there any way I can restore the master key principal?
>
>If you have a running KDC you could use a debugger to recover that key.
>It won't be easy.  It's not something anyone does on a regular basis, so
>I don't have instructions to give you.
>
>>  I have tried creating with kdb5_util add_mkey but the error says that KDC
>>  DB is not able to find a master key credential. I assume this would only
>>  work when you want to create another master key without deleting the
>>  primary key.
>
>Adding a new key won't help you: the existing records are encrypted in
>the old key.
>
>>  Another option for me would be to de-kerberise the cluster and create the
>>  same REALM and kerberise the cluster again. But there could be serious
>>  issues if this doesn't fix as this is a live cluster where people are using
>>  this on a daily basis.
>
>You could rebuild your realm, yes.  That's a flag day.  Users in that
>realm will need to be re-enrolled, keytabs will need to be re-created
>and distributed...
>
>Nico
>--
>________________________________________________
>Kerberos mailing list           Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list