Master key migration and the stash command
Will Fiveash
will.fiveash at oracle.com
Mon Jun 21 18:44:05 EDT 2010
On Mon, Jun 21, 2010 at 05:07:57PM -0400, Greg Hudson wrote:
> On Mon, 2010-06-14 at 15:58 -0400, Will Fiveash wrote:
> > Is this something that should be revisited for the 1.9 release? Note
> > that the lack of a stash command in the kdb5_ldap_util is an issue for
> > some as well.
>
> I fixed "kdb5_util stash" to work against LDAP databases; it was a very
> simple bug. I tagged the fix for 1.8.3; it could also go easily into
> releases as early as (I think) 1.6.
Thanks Greg, that addresses the issue a customer was having.
> Possible remaining improvements include:
>
> * Make it possible to use "kdb5_util stash" before a KDB exists, and
> make "kdb5_util create" recognize and use the stash file. I'm no longer
> sure this is worth the effort. It would make the creation of slave KDCs
> appear slightly more elegant in some deployment scenarios, but not
> actually any more correct (the initial KDB contents are overwritten by
> the kdb5_util load regardless). It might also be more work than I had
> anticipated.
>
> * When the KDB is present but a valid stash file is not, make
> "kdb5_util stash" examine the K/M record to deduce the master key type.
> This is not completely trivial to implement, and only helps in uncommon
> deployment scenarios, so I will defer it for now.
I don't have a problem with that.
--
Will Fiveash
Oracle
Note my new work e-mail address: will.fiveash at oracle.com
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/
More information about the krbdev
mailing list