[krbdev.mit.edu #6359] new multi-masterkey support doesn't work well when system clock is set back
Nicolas Williams via RT
rt-comment at krbdev.mit.edu
Mon Feb 2 23:15:19 EST 2009
On Tue, Feb 03, 2009 at 01:43:39AM +0000, william.fiveash at sun.com via RT wrote:
> If the system clock on a KDC is set back in time after a mkey is
> activated "now" or if the admin sets the active time for all existing
> mkeys in the future it is possible that the code will not find any mkey
> active. This is a problem as there should always be one "active" mkey
> used to protect principal keys. I'd like to address this by making
> several changes including:
Can't the active key be marked in the principal's record via TL data?
More information about the krb5-bugs
mailing list