[krbdev.mit.edu #6546] KDB should use enctype of stashed master key
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Mon Aug 17 11:19:19 EDT 2009
Suppose you create a KDB with a non-default master key enctype:
kdb5_util -k rc4-hmac create -s
Now you have a K/M entry with the specified enctype, and a stash keytab
containing a nicely tagged key of the specified enctype. However, if
you try to access the KDB, you will get:
kadmin.local: No matching key in entry while initializing kadmin.local
interface
So the code is specifically looking for a key of the expected master key
enctype (either the one specified in the profile's master_key_type or
the default) instead of using what it can find in the stash file.
This is a big problem if we ever want to change the master key type
between releases (which we do, since the default is currently triple
DES). Databases created with the old master key type will stop working
unless the admin adds a master_key_type setting to kdc.conf, which is
not a friendly experience.
More information about the krb5-bugs
mailing list