[krbdev.mit.edu #8744] Issues when rolling the master key online

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[krbdev.mit.edu #8744] Issues when rolling the master key online

Greg Hudson via RT-2
Following the instructions as given when using incremental propagation
(https://web.mit.edu/kerberos/krb5-1.12/doc/admin/database.html#updating-the-master-key),
it seems that you can end up with the master KDC in a bad way AND a dead kpropd on the slave.

Also, there's another case where things can go wrong in a different way when the update log rolls over.
The full resync request gets raised but doesn't get fulfilled until daemon processes get restarted. kpropd doesn't crash in that case, though.
There may also be a bad result when the kdb principal encryption incremental update is bundled with the mkey puge.
Let me know if you want the logs from those, too.

Master: Solaris 11 server running MIT 1.15
Slave: Fedora 28 server running MIT 1.16.1 (provided with the distro)

Also tried this with both hosts being 1.13.2 (Solaris 10), 15.1 (RHEL 7) and later with both running 1.16.1 on the hosts as described above and achieved similar results.


Create new mkey, wait for slave update (kdb5_util add_mkey -s)
-------------------------------------------------------------------------------------
MASTER LOG
Sep 29 17:35:48 endless.foonon.com kadmind[18090](Notice): Request: iprop_get_updates_1, UPDATE_OK; Incoming SerialNo=10; Outgoing SerialNo=11, success, client=kiprop/[hidden email], service=kiprop/[hidden email], addr=192.168.1.224
SLAVE LOG
Sep 29 17:35:48 topper28 kpropd[27555]: Incremental updates: 1 updates / 7756 us

Use new mkey & update princs: kdb5_util use_mkey 2 ; kdb5_util update_princ_encryption (1132 principals)
-----------------------------------------------------------------------------------------------------------------------------------------------

# kdb5_util -d ./principal -sf ./.k5.FOONON.COM  list_mkeys
Master keys for Principal: K/[hidden email]
KVNO: 2, Enctype: aes256-cts-hmac-sha1-96, Active on: Sat Sep 29 17:37:20 EDT 2018 *

MASTER LOG
Sep 29 17:37:48 endless.foonon.com kadmind[18090](Notice): Request: iprop_get_updates_1, UPDATE_ERROR; Incoming SerialNo=11; Outgoing SerialNo=N/A, Update log conversion error, client=kiprop/[hidden email], service=kiprop/[hidden email], addr=192.168.1.224
Sep 29 17:37:48 endless.foonon.com kadmind[18090](info): closing down fd 21
SLAVE LOG
Sep 29 17:37:48 topper28 kpropd[27555]: get_updates, error returned from master KDC.
Sep 29 17:37:48 topper28 kpropd[27555]: ERROR returned by master KDC, bailing.
Sep 29 17:37:48 topper28 kpropd[27555]: /usr/sbin/kpropd: Operation not permitted do_iprop failed.

Purge old key: kdb5_util purge_mkeys
---------------------------------------------------
kadmin.local:  getprinc K/M
Principal: K/[hidden email]
...
Last modified: Sat Sep 29 17:37:59 EDT 2018 (K/[hidden email])
...
Number of keys: 1
Key: vno 2, aes256-cts-hmac-sha1-96
MKey: vno 2
...

KDC MASTER LOG
Sep 29 17:39:49 endless.foonon.com krb5kdc[18065](info): AS_REQ (8 etypes {18 17 16 23 20 19 25 26}) 192.168.1.200: DECRYPT_CLIENT_KEY: host/[hidden email] for krbtgt/[hidden email], Decrypt integrity check failed
Sep 29 17:43:08 endless.foonon.com krb5kdc[18065](info): AS_REQ (8 etypes {18 17 16 23 20 19 25 26}) 192.168.1.200: DECRYPT_CLIENT_KEY: host/[hidden email] for krbtgt/[hidden email], Decrypt integrity check failed


Restart kadmind
----------------------
KDC MASTER LOG
Sep 29 17:44:36 endless.foonon.com krb5kdc[18065](info): AS_REQ (8 etypes {18 17 16 23 20 19 25 26}) 192.168.1.200: DECRYPT_CLIENT_KEY: host/[hidden email] for krbtgt/[hidden email], Decrypt integrity check failed

Restart krb5kdc
---------------------
KDC MASTER LOG
Sep 29 17:45:00 endless.foonon.com krb5kdc[18166](info): AS_REQ (8 etypes {18 17 16 23 20 19 25 26}) 192.168.1.200: ISSUE: authtime 1538257500, etypes {rep=18 tkt=18 ses=18}, host/[hidden email] for krbtgt/[hidden email]

Restart kpropd
--------------------
MASTER LOG
Sep 29 17:47:53 endless.foonon.com kadmind[18160](Notice): Request: iprop_get_updates_1, UPDATE_OK; Incoming SerialNo=11; Outgoing SerialNo=1145, success, client=kiprop/[hidden email], service=kiprop/[hidden email], addr=192.168.1.224
SLAVE LOG
Sep 29 17:47:53 topper28 kpropd[27627]: Incremental updates: 1134 updates / 428790 us

Changes included in the incremental update: activating the new master key, the princ enc changes, purging the old K/M key

Normal operation resumes.



_______________________________________________
krb5-bugs mailing list
[hidden email]
https://mailman.mit.edu/mailman/listinfo/krb5-bugs