[38756] in Kerberos
Re: MIT Kerberos Master principal deletion
daemon@ATHENA.MIT.EDU (Nico Williams)
Thu Jun 11 18:08:03 2020
Date: Thu, 11 Jun 2020 17:05:19 -0500
From: Nico Williams <nico@cryptonector.com>
To: Harshawardhan Kulkarni <harshawardhan.rk@gmail.com>
Message-ID: <20200611220517.GC3080@localhost>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <CAP8kJPf19ho+yURF2xoHUipkBAgEyUcOWETMtom6eHFtnqin4w@mail.gmail.com>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, Jun 11, 2020 at 03:32:35AM +0100, Harshawardhan Kulkarni wrote:
> I basically need an advice on an ongoing issue I am currently stuck on.
>
> We have a Kerberised Hadoop Cloudera Custer. KDC Admin server is on one of
> the nodes. We don't have a failover node for KDC server yet. On the KDC
> admin server while doing a clean up activity for unwanted kdc principals, I
> deleted the master key principal (K/M@REALM.COM) We never took a kdc dump
> of the master key. So we don't have a backup to restore from.
>
> Is there any way I can restore the master key principal?
If you have a running KDC you could use a debugger to recover that key.
It won't be easy. It's not something anyone does on a regular basis, so
I don't have instructions to give you.
> I have tried creating with kdb5_util add_mkey but the error says that KDC
> DB is not able to find a master key credential. I assume this would only
> work when you want to create another master key without deleting the
> primary key.
Adding a new key won't help you: the existing records are encrypted in
the old key.
> Another option for me would be to de-kerberise the cluster and create the
> same REALM and kerberise the cluster again. But there could be serious
> issues if this doesn't fix as this is a live cluster where people are using
> this on a daily basis.
You could rebuild your realm, yes. That's a flag day. Users in that
realm will need to be re-enrolled, keytabs will need to be re-created
and distributed...
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
