[krbdev.mit.edu #8651] kinit -kt KDB: Cannot find/read stored master key

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[krbdev.mit.edu #8651] kinit -kt KDB: Cannot find/read stored master key

Greg Hudson via RT-2
I have found automated jobs that are executed on a KDC using "kinit -kt KDB:" may sometimes fail with:

        kinit: Cannot find/read stored master key while setting up KDB key tab for realm XXX

However,if the script is retried, it invariably works. I suspect there is a transient locking condition which may sporadically cause a failure. The k5stash file path is local and the “ctime” has not changed anytime within the intervals of the run.

FYI - KDB: offers a great way to authenticate using a Kerberos-internal principal (e.g. kadmin/admin) to prove it is the KDC infrastructure, without having to create secondary files which can be copied out-of-band or for which their distribution cannot be deterministically sync’d with respect to Kerberos iprop propagation. For most use-cases, I prefer keytabs but to prove Kerberos infrastructure identity, I prefer not to create extra keytabs and to rotate the keys aggressively to mitigate impact from any unauthorized extraction of Kerberos’ keys.


_______________________________________________
krb5-bugs mailing list
[hidden email]
https://mailman.mit.edu/mailman/listinfo/krb5-bugs