- RHEL does not have a new enough version of MIT Kerberos
- No one can remember the "Master Password" for the KDC
- The KDC is running on older Power hardware under AIX
The following is how we solved each one of the problems from above.
RHEL has an older version of MIT Kerberos
As was mentioned in my previous posts: I hate you RHEL and Kerberos 1.8 on RHEL. I was able to get MIT Kerberos 1.8 compiled, packaged, and install on RHEL5.5. See those posts for my work arounds.
Anyone remember the KDC Master Password?
The KDC was installed back in 1996. At the time, the password was known. The stash file was also created so that the KDC could start automatically. There were about 4 people that knew the Master Password either because they entered it in or they had access to the piece of paper that had the password. The person that created the Master Password no longer worked at UF, so when I needed to know what the Master Password was I had to find someone that had access to the piece of paper. After some searching, It was determined that the piece of paper was long lost and assumed destroyed. So no one knew the Master Password. All we had was the stash file.
We thought, well that sucks but at least we have the stash file so we can move forward. WRONG! Turns out the stash file is not endian safe. The file itself is written in the native endianess of the machine. Since we are going from a Power to and x86_64 machine, taking a KDC dump and taking the stash file will not work.
After much research by one of my co-workers we found an option to kdb5_util dump command that allows you to re-key the principals based on a new Master Password. That option is -mkey_convert.
There is one more wrinkle to this story. The new version of MIT Kerberos allows you to have multiple encyption types on your K/M principal. The default encryption type has also changed. So you will not just need to dump with a new Master Password but you will also need to know the encryption type of your K/M principal. This can be achieved by executing a getprinc on K/M and noting the encryption type.
So now that we had all the tools in place here is the procedure:
- Dump the KDC database on your primary kdc with the following: kdb5_util dump -mkey_convert kdc.dump. This will ask you for a new Master Password. Set it to the actual Master Password that you want in your new KDC
- Copy the contents over to the new KDC.
- Figure out what the encryption type of the K/M principal is: kadmin.local -q "getprinc K/M" and not the encryption type. You will need it later.
- Create a new KDC: kdb5_util -r
create . The password is not important. - Add a new Master Key encryption type by doing the following: kdb5_util add_mkey -e
where encryption type is set to the encryption type used where you took the KDC dump. - Get a list of the Master Keys: kdb5_util list_mkeys. Note the kvno of the newly created key.
- Switch to using the newly created key: kdb5_util use_mkey
where kvno is the kvno of the key with the correct encryption type. - Create a stash file: kdb5_util stash
- Load your dump: kdb5_util -r
load kdc.dump
- The Master Password that you entered in step 4
- The Master Password that you set in step 1
There you have it. If you follow these directions you should be able to:
- Set a new Master Password on your KDC
- Change your KDC CPU architecture from one to another
- Have a working stash file for your current KDC
- Know the encryption type of your K/M key
