This week about 100 host and other service principals were deleted by mistake, rendering the owning systems and services unusable.
In order to remedy this, we tried using a pre-mistake backup (dump format) of
the kdb to restore the principals:
kdb5_util load -update dumpfile principal
However this did not work. This is what’s documented in the MIT docs. We were
expecting to be able to run this once per missing principal.
So instead we loaded the backup dump into a temporary kdb and extracted the
missing principals into a separate dump file:
kdb5_util -d tempKDB load dumpfile
kdb5_util -d tempKDB dump missing-princs-dumpfile princ1 princ2 … princN
and ran this:
kdb5_util load -update missing-princs-dumpfile
which worked. Systems restored; drinks all ‘round.
Questions:
Is there any easier way to do this?
When when loaded the missing principals, we shut down kadmind. Was this
necessary? Or will kdb5_util lock the KDB properly when loading? We were
worried about potential corruption if the KDB was not in a quiescent state.
When the missing principals were being added, the load process also reported
that it added polices. Why did it do that? If the policies are already there,
is this a no-op?
We’re using MIT Kerberos 1.13.2, by the way.
jd
smime.p7s
Description: S/MIME cryptographic signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
