MIT Kerberos Master principal deletion

Harshawardhan Kulkarni harshawardhan.rk at gmail.com
Thu Jun 18 18:27:54 EDT 2020 

Hi Team,

I am reaching out back again with my existing issue regarding master key
deletion. I am trying ways to somehow restore it although I don't have a
dump of the KDC.
Re-creating is the last option for me as the cluster is live and a lot of
people are using it.

While going through all the KDC related files, I came across all the files
which get created while the kdc database was created for the first time.
I was wondering is there any way to restore the master key using either the
stash file? or either using the database file which resides in the
/var/log/kerberos/krb5kdc location?
We have both the stash files and the principal.db file. When I open the
file although it's not text readable, I can see the K/M at REALM principal
details in this file.

So is there any way to restore the master key using this principal.db file
or the .k5.... stash file?

Thanks,
Harsh


On Thu, Jun 11, 2020 at 3:32 AM Harshawardhan Kulkarni <
harshawardhan.rk at gmail.com> wrote:

> Hi Team,
>
> I basically need an advice on an ongoing issue I am currently stuck on.
>
> We have a Kerberised Hadoop Cloudera Custer. KDC Admin server is on one of
> the nodes. We don't have a failover node for KDC server yet. On the KDC
> admin server while doing a clean up activity for unwanted kdc principals, I
> deleted the master key principal (K/M at REALM.COM) We never took a kdc dump
> of the master key. So we don't have a backup to restore from.
>
> Is there any way I can restore the master key principal?
>
> I have tried creating with kdb5_util add_mkey but the error says that KDC
> DB is not able to find a master key credential. I assume this would only
> work when you want to create another master key without deleting the
> primary key.
>
> Another option for me would be to de-kerberise the cluster and create the
> same REALM and kerberise the cluster again. But there could be serious
> issues if this doesn't fix as this is a live cluster where people are using
> this on a daily basis.
>
> Can anyone help me here? Looking forward for your reply.
>
> Thanks,
> Harsh Kulkarni
>

More information about the Kerberos mailing list