On Thu, Jun 11, 2020 at 03:32:35AM +0100, Harshawardhan Kulkarni wrote: > I basically need an advice on an ongoing issue I am currently stuck on. > > We have a Kerberised Hadoop Cloudera Custer. KDC Admin server is on one of > the nodes. We don't have a failover node for KDC server yet. On the KDC > admin server while doing a clean up activity for unwanted kdc principals, I > deleted the master key principal (K/[email protected]) We never took a kdc dump > of the master key. So we don't have a backup to restore from. > > Is there any way I can restore the master key principal?
If you have a running KDC you could use a debugger to recover that key. It won't be easy. It's not something anyone does on a regular basis, so I don't have instructions to give you. > I have tried creating with kdb5_util add_mkey but the error says that KDC > DB is not able to find a master key credential. I assume this would only > work when you want to create another master key without deleting the > primary key. Adding a new key won't help you: the existing records are encrypted in the old key. > Another option for me would be to de-kerberise the cluster and create the > same REALM and kerberise the cluster again. But there could be serious > issues if this doesn't fix as this is a live cluster where people are using > this on a daily basis. You could rebuild your realm, yes. That's a flag day. Users in that realm will need to be re-enrolled, keytabs will need to be re-created and distributed... Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
