Hello,
Is there a need to backup the stash file. If I have understood write when
creating a slave KDC and running the command kdb5_util stash the stash file
is created.
Is this correct?
M.
_
Express yourself instantly with MSN
"Manel Euro" <[EMAIL PROTECTED]> writes:
> Is there a need to backup the stash file. If I have understood write when
> creating a slave KDC and running the command kdb5_util stash the stash
> file is created.
> Is this correct?
If you have the password that you u
Hi all,
I've run into some problems with a KDC slave that's started giving me
grief out of the blue.
System (bender) is Debian testing, x86. Krb5 packages are all 1.4.4-6.
The master KDC (becks) is Ubuntu 6.06 (LTS) running KRB5, with Krb5
packages 1.4.3-5ubuntu0.2. The master KDC also feeds ano
Ah ha. This was my fault. As it turns out, I had funky cross realm
authentication going on because I was moving from one realm to another.
The master KDC at one point had had two KDC's running on it, and the
default realm in krb5.conf was set to the old realm, this had worked for
a while, because t
http://web.mit.edu/Kerberos/krb5-1.5/krb5-1.5.1/doc/krb5-install/Create-the-Database.html#Create%20the%20Database
"If you choose to install a stash file..."
What if I don't? No explanation is given as to the alternative.
Kerber
I'm running on an odd problem, but I might be just fooling myself, I don't
know.
It doesn't matter if I specify or not the -s option to kdb5_util create,
I always end up having a stash file. It also doesn't matter if I have
a stash file configured in kdc.conf.
Anyway,
>http://web.mit.edu/Kerberos/krb5-1.5/krb5-1.5.1/doc/krb5-install/Create-the-Database.html#Create%20the%20Database
>
>"If you choose to install a stash file..."
>
>What if I don't? No explanation is given as to the alternative.
Every time the KDC starts up, you
e%20Database
>>
>> "If you choose to install a stash file..."
>>
>> What if I don't? No explanation is given as to the alternative.
>
> Every time the KDC starts up, you have to type in the master key before
> the KDC process will start up. The stash
Jeff Blaine <[EMAIL PROTECTED]> writes:
> Thanks, Ken. That's what I assumed. Shouldn't that be mentioned in the
> docs? Seems logical, especially after the words "If you choose to..."
I've committed a patch to Subversion to document the effects of not
cre
>Thanks, Ken. That's what I assumed. Shouldn't that be
>mentioned in the docs? Seems logical, especially after
>the words "If you choose to..."
Sounds like Russ took care of that. Now that I think about it, I'm not
sure where I heard about the stash file ...
Sorry to be late for this discussion of the stash file.
In addition to needing to enter a passphrase to launch krb5kdc (with
the -m option), it looks like kdb5_util will also need a passphrase,
understandably.
This means that the traditional cronjob-triggered kprop -> kpropd
replication wo
ually, it shouldn't need a passphrase; the dump files contain the
encrypted keys not the decrypted ones, and that's what kprop/kpropd
pass around. I thought that the MIT folks told me that they run without
a stash file, and I see they have three KDCs.
--Ken
_
d. I thought that the MIT folks told me that they run without
> a stash file, and I see they have three KDCs.
I can't speak for current code, but several years ago we ran MIT KDC's with
only the master having a stash file, and propagation worked just fine.
-- Jeff
__
more detail first. from kdb5_util(8):
When kdb5_util is run, it attempts to acquire the master key
and open the database. However, execution continues regardless
of whether or not kdb5_util successfully opens the database,
because the database may not exist yet
e kind of corruption check that the master
key enables; all the entries (except for the master key) could be garbage
and having a stash file wouldn't help you.
--Ken
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
But when the master key _is_ available,
> no verification is done (other than on the master key itself). So
> it's not like there is some kind of corruption check that the master
> key enables; all the entries (except for the master key) could be garbage
> and having a stash file wou
Hi everyone.
I'm currently struggling to make krb5kdc start without a stash file - and
no prompt.
As I understood[1] the stash file stores the encrypted master key. This
file is used to automate the start up of KDC to decrypt the local (as in
on-disk) krb database. However the definition i
On 06/28/2016 09:58 AM, Diogenes S. Jesus wrote:
> That said, what's the role of the stash file in this scenario? To decrypt
> krbPrincipalKey LDAP attribute?
Yes. Keys in an LDAP KDB are encrypted in the master key just like keys
in a DB2 KDB. The idea is that if the Kerberos data
18 matches
Mail list logo
