Requesting review of the Master Key Migration project

Will Fiveash William.Fiveash at Sun.COM
Wed Sep 10 20:31:47 EDT 2008

On Mon, Sep 08, 2008 at 07:36:54PM -0400, Ken Raeburn wrote:
> On Sep 2, 2008, at 20:25, Will Fiveash wrote:
>> I've added a page on the MIT Kerberos Consortium wiki for the Master  
>> Key
>> Migration project.  The URL to the page is:
> Under "use_mkey <KVNO>", it says, "The kadmind should be stopped/ 
> disabled prior to running this command and enabled after successful  
> completion."
> I'm trying to recall... was there a reason why the change can't be done 
> while kadmind is running?  Perhaps it doesn't automatically pick up the 
> change, but if we can require just restarting kadmind after the update, 
> that's a smaller window of unavailability that having to shut it off 
> while manually running commands to update the database.

Right, it was for updating the current MKVNO in the kadmind.  I'll
modify that to say the kadmind and krb5kdc (for the same reason, yes?)
should be restarted to pick up the change.

> purge_mkeys: What is the user prompted for?  "Are you sure?"  "This is  
> the set I'm going to kill, okay?"  "Kill version 3?  Kill version 4? ..."

The prompt will be "Delete version 3 master key for the FOO.COM realm?  [y/n]"

Will Fiveash
Sun Microsystems Inc.

More information about the krbdev mailing list