Thanks you On Jun 19, 2015 4:19 PM, "Tom Yu" <t...@mit.edu> wrote:
> "Podrigal, Aron" <ar...@guaranteedplus.com> writes: > > > kadmin: change_password K/M > > kadmin: quit > > > > Which should change the master password, no? > > > > But now i can't seem to get access to the database > > The master key K/M is special and can't be changed in a useful way by > using the kadmin change_password command. It is probably a bug that you > were able to run that command without getting an error. > > The following link describes the correct way to update the master key. > > > http://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html#updating-the-master-key > > > # kdb5_util stash > > kdb5_util: Unable to decrypt latest master key with the provided master > key > > while getting master key list > > kdb5_util: Warning: proceeding without master key list > > Enter KDC database master key: > > kdb5_util: Unable to decrypt latest master key with the provided master > key > > while getting master key list > > # > > > > As I understand the problem is that the key in keytab is no longer valid. > > However providing the password on command line as shown above should > work. > > I'm confident that I didn't forget the password :) > > > > Can anyone point me in the right direction? I seem to be missing some > > general knowledge here. Any info would be greatly appreciated. > > The master key encrypts every key in the database, including itself. > This fact is used by nearly every program that touches the database to > verify the correctness of the master key as read from a stash file or > the keyboard. By running the change_password command on K/M, you > changed the key stored in the K/M principal entry in the database, but > it probably remained encrypted in the old master key, as did every other > key in the database. > > Unfortunately, this situation is probably very difficult to recover > without reloading a backup of the database. > > -Tom > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
