[prev in list] [next in list] [prev in thread] [next in thread]
List: kerberos
Subject: Re: Unable to access kdc after changing password
From: "Podrigal, Aron" <aronp () guaranteedplus ! com>
Date: 2015-06-19 20:24:02
Message-ID: CANJp-yj0J+zaO0kpZe760WHVmsEVdywRXvhJpv_kUXGrj+wr9A () mail ! gmail ! com
[Download RAW message or body]
Thanks you
On Jun 19, 2015 4:19 PM, "Tom Yu" <tlyu@mit.edu> wrote:
> "Podrigal, Aron" <aronp@guaranteedplus.com> writes:
>
> > kadmin: change_password K/M
> > kadmin: quit
> >
> > Which should change the master password, no?
> >
> > But now i can't seem to get access to the database
>
> The master key K/M is special and can't be changed in a useful way by
> using the kadmin change_password command. It is probably a bug that you
> were able to run that command without getting an error.
>
> The following link describes the correct way to update the master key.
>
>
> http://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html#updating-the-master-key
>
> > # kdb5_util stash
> > kdb5_util: Unable to decrypt latest master key with the provided master
> key
> > while getting master key list
> > kdb5_util: Warning: proceeding without master key list
> > Enter KDC database master key:
> > kdb5_util: Unable to decrypt latest master key with the provided master
> key
> > while getting master key list
> > #
> >
> > As I understand the problem is that the key in keytab is no longer valid.
> > However providing the password on command line as shown above should
> work.
> > I'm confident that I didn't forget the password :)
> >
> > Can anyone point me in the right direction? I seem to be missing some
> > general knowledge here. Any info would be greatly appreciated.
>
> The master key encrypts every key in the database, including itself.
> This fact is used by nearly every program that touches the database to
> verify the correctness of the master key as read from a stash file or
> the keyboard. By running the change_password command on K/M, you
> changed the key stored in the K/M principal entry in the database, but
> it probably remained encrypted in the old master key, as did every other
> key in the database.
>
> Unfortunately, this situation is probably very difficult to recover
> without reloading a backup of the database.
>
> -Tom
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic