Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) Subject: kdb5_util add_mkey should ensure master key activation times list exists X-RT-Original-Encoding: iso-8859-1 Content-Length: 1130 The master key activation times list is a tl-data value on the K/M entry containing {kvno, time} tuples, and determines which master key is considered "active" for the purpose of encrypting new keys. This list is currently written by the kdb5_util create, use_mkey, and purge_mkeys commands. If a KDB was created before 1.7, the list will not exist in the K/M entry unless someone has run use_mkey. In the absence of this list, we have some not-very-optimal fallbacks: * kadmin/kadmin.local will synthesize a list which assumes that the most recent mkvno is active. * kdb5_util list_mkeys will display the current time as the "active on" time for all master keys, and will assume that the most recent mkvno is active. As a result, if you run "kdb5_util add_mkey" on an old KDB, the new master key becomes active immediately (although kadmind will not recognize this until it restarts; see #7685), before you have had a chance to propagate the new master key to slave KDCs. kdb5_util add_mkey should ensure that the master key activation times list exists, so that we get consistent behavior with old and new KDBs.