[Freeipa-users] How to change the Kerberos Master Key?
Nicholas Hinds
hindsn at gmail.com
Tue Jun 28 18:33:51 UTC 2016
Hi,
I have been trying to change the Kerberos Master Key of my FreeIPA
installation, without success.
On test installations, I have tried following the instructions on
http://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html#updating-the-master-key,
but from the "kdb5_util update_princ_encryption" step onwards all kdb5_util
commands fail with "kdb5_util: No matching key in entry while looking up
active master key", and even "kdb5_util list_mkeys" fails to run after that
point.
I found https://fedorahosted.org/freeipa/ticket/4976 to document the
mechanism to change the Kerberos Master Key. It mentions that "Currently
the procedure is very hard and manual", but does not explain what the very
hard and manual way to change the key is.
Is it currently possible to change the Kerberos Master Key? If not, is it
okay to have a weak password set as the Kerberos Master Key if I secure
access to my FreeIPA server?
Thanks,
Nicholas.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160628/9c4923f6/attachment.htm>
More information about the Freeipa-users
mailing list