> 3) anyway the best would be to pull old key from backups (either from > kdc or server backup) and put it back to KDC under correct kvno > > depending on your skills and other factors of your environment, > restoring whole KDC db might be easier than to mess with single entry ...
btw, just putting old key to the service keytab on NFS server might do the trick most easily... the clients still holding the not-yet expired tickes would be able to access the service, because service would have both old and new keys available ... there should be no need to manage the kdc i guess b ps: typing faster than thinking ;( ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
