Hi Team, I am reaching out back again with my existing issue regarding master key deletion. I am trying ways to somehow restore it although I don't have a dump of the KDC. Re-creating is the last option for me as the cluster is live and a lot of people are using it.
While going through all the KDC related files, I came across all the files which get created while the kdc database was created for the first time. I was wondering is there any way to restore the master key using either the stash file? or either using the database file which resides in the /var/log/kerberos/krb5kdc location? We have both the stash files and the principal.db file. When I open the file although it's not text readable, I can see the K/M@REALM principal details in this file. So is there any way to restore the master key using this principal.db file or the .k5.... stash file? Thanks, Harsh On Thu, Jun 11, 2020 at 3:32 AM Harshawardhan Kulkarni < harshawardhan...@gmail.com> wrote: > Hi Team, > > I basically need an advice on an ongoing issue I am currently stuck on. > > We have a Kerberised Hadoop Cloudera Custer. KDC Admin server is on one of > the nodes. We don't have a failover node for KDC server yet. On the KDC > admin server while doing a clean up activity for unwanted kdc principals, I > deleted the master key principal (K/m...@realm.com) We never took a kdc dump > of the master key. So we don't have a backup to restore from. > > Is there any way I can restore the master key principal? > > I have tried creating with kdb5_util add_mkey but the error says that KDC > DB is not able to find a master key credential. I assume this would only > work when you want to create another master key without deleting the > primary key. > > Another option for me would be to de-kerberise the cluster and create the > same REALM and kerberise the cluster again. But there could be serious > issues if this doesn't fix as this is a live cluster where people are using > this on a daily basis. > > Can anyone help me here? Looking forward for your reply. > > Thanks, > Harsh Kulkarni > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
