On 07/18/2017 11:49 PM, Joshua Schaeffer wrote:
>> * Why does the master DB entry (K/M) have no key data?
>
> Well, I believe this is the key question. When I run kdb5_util stash I
> now get this error:
[...]
> kdb5_util: Cannot find master key record in database while getting
> master key lis
On 07/19/2017 09:45 AM, Greg Hudson wrote:
>
> This error message is likely conflating "K/M doesn't exist" with "K/M
> exists but has no key data".
>
> In the LDAP record you included, there is no krbPrincipalKey attribute,
> as one would ordinarily see in the K/M record. That key data should be
>
On 07/19/2017 08:22 PM, Joshua Schaeffer wrote:
> * Do you know if ldap_kdc_dn needs read rights to the krbPrincipalKey
> attribute?
It does. The KDC is the primary user of principal long-term keys; it
uses them to verify pre-authentication, encrypt KDC replies, and encrypt
service tickets.
> *
