[krbdev.mit.edu #6546] KDB should use enctype of stashed master key
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu Jan 7 15:55:30 EST 2010
The problem is actually more constrained than I actually thought. If
you have a stashed master key, master key retrieval works just fine
regardless of the default master key enctype. However, there are two
big caveats:
1. When you start up kadmind or kadmin.local, the kadmin/history key is
retrieved using krb5_dbe_find_enctype with the default master key
enctype specified; this fails if the database was created with a
different master key enctype. This is easy to fix and will be fixed
shortly.
2. If you type out the key using krb5kdc -m, you get:
krb5kdc: Unable to decrypt latest master key with the provided master key
- while fetching master keys list for realm TEST.ORG
if the master key enctype is not the default (and is not specified via
the -k option). We can be friendlier than that, by looking up the key
type in the K/M entry. This is a little less trivial to fix.
More information about the krb5-bugs
mailing list