On 06/01/2016 02:13 PM, Todd Grayson wrote: > Is there any kind of guidance or rules of thumb around deleting and > re-creating the default krbtgt principal for a KDC? I've not been able to > find specific discussion on doing this, or what the requirements would be > for properly re-creating the entry. > > The issue has to do with wanting to reset a number of values in the entry > rather than using modprinc so many times over the entry. > > Or is this a "don't do it" kind of thing?
I would recommend against it. At best you would be invalidating all existing TGTs; at worst you could get stuck in an uncoverable state, with no way to access the KDC host or connect to kadmin. You can make multiple modifications to an entry in a single modprinc operation. Even if you make the modifications one at a time, I wouldn't expect any problems from performing a dozen or so modprinc operations on the same entry in quick succession. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
