Rolling the master key online

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Rolling the master key online

John Devitofranceschi

Are there any timing considerations when purging the old master key(s)?

I experienced some problems after following the documented procedure (kadmind/kpropd not working, tickets not being issued) which I think might have  been due running the ‘purge_mkeys' before the updated principals were propagated to the slaves after running the ‘update_princ_encryption’.

I had to restart kadmind, krb5kdc, and kpropd to get things working again.

Also, after running ‘kdb5_util stash’ on the slave, the old key is preserved in the stash file, but on the master ‘kdb5_util  add_mkey -s’ clobbers the old key.



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Rolling the master key online

Greg Hudson
On 09/28/2018 07:24 AM, John Devitofranceschi wrote:
>
> Are there any timing considerations when purging the old master key(s)?
>
> I experienced some problems after following the documented procedure (kadmind/kpropd not working, tickets not being issued) which I think might have  been due running the ‘purge_mkeys' before the updated principals were propagated to the slaves after running the ‘update_princ_encryption’.

I was not aware of any issues like this.  Please send a bug report to
[hidden email] with as much details as you can reconstruct, including
the krb5 versions running on the KDCs, specific error messages, and the
sequence of operations performed.  I will see if I can figure out what
might have gone wrong.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Rolling the master key online

John Devitofranceschi


> On Sep 29, 2018, at 11:33 AM, Greg Hudson <[hidden email]> wrote:
>
> On 09/28/2018 07:24 AM, John Devitofranceschi wrote:
>> Are there any timing considerations when purging the old master key(s)?
>> I experienced some problems after following the documented procedure (kadmind/kpropd not working, tickets not being issued) which I think might have  been due running the ‘purge_mkeys' before the updated principals were propagated to the slaves after running the ‘update_princ_encryption’.
>
> I was not aware of any issues like this.  Please send a bug report to [hidden email] with as much details as you can reconstruct, including the krb5 versions running on the KDCs, specific error messages, and the sequence of operations performed.  I will see if I can figure out what might have gone wrong.

Will do.  Just following up on my experinces, when I repeated the process and made certain that all the slaves had the principal encryption updates, I had no problems at all.


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

smime.p7s (3K) Download Attachment