[krbdev.mit.edu #8913] Deleting master key principal entry shouldn't be possible
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu Jun 11 17:20:31 EDT 2020
Thu Jun 11 17:20:31 2020: Request 8913 was acted upon.
Transaction: Ticket created by ghudson at mit.edu
Queue: krb5
Subject: Deleting master key principal entry shouldn't be possible
Owner: Nobody
Requestors: ghudson at mit.edu
Status: open
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8913 >
Running "kadmin.local delprinc K/M" pretty much bricks a KDB. Authentication
will continue to work as long as the current krb5kdc process is running, but
essentially all admin operations will fail, and (short of writing custom code)
there does not seem to be any way to recover. In contrast, other admin
principals like krbtgt/REALM can simply be recreated with random keys.
More information about the krb5-bugs
mailing list