Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) X-RT-Original-Encoding: iso-8859-1 Content-Length: 7404 From djm@web.us.uu.net Thu Sep 9 12:04:17 1999 Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id MAA22467 for ; Thu, 9 Sep 1999 12:04:16 -0400 Received: from catapult.web.us.uu.net by MIT.EDU with SMTP id AA02700; Thu, 9 Sep 99 12:03:57 EDT Received: by catapult.web.us.uu.net id MAA24549; Thu, 9 Sep 1999 12:04:05 -0400 (EDT) Message-Id: Date: Thu, 9 Sep 1999 12:04:05 -0400 (EDT) From: djm@web.us.uu.net (David J. MacKenzie) Reply-To: djm@web.us.uu.net To: krb5-bugs@MIT.EDU Cc: djm@web.us.uu.net Subject: can a krb5 realm be renamed? X-Send-Pr-Version: 3.99 >Number: 748 >Category: krb5-kdc >Synopsis: I can't figure out how to rename a realm in a KDC >Confidential: no >Severity: non-critical >Priority: medium >Responsible: krb5-unassigned >State: open >Class: support >Submitter-Id: unknown >Arrival-Date: Thu Sep 09 12:05:01 EDT 1999 >Last-Modified: Thu Sep 09 16:53:01 EDT 1999 >Originator: David MacKenzie >Organization: UUNET Technologies >Release: krb5-1.0.5 >Environment: System: BSD/OS catapult.web.us.uu.net 4.0.1 BSDI BSD/OS 4.0.1 Kernel #7: Fri Apr 16 17:29:04 EDT 1999 lidl@enniskillen.eng.us.uu.net:/usr/src/bsdi/sys/compile/DESKTOP i386 >Description: I'd like to change the name of a realm without invalidating all of the principals in it. Nothing I've tried so far has worked. I'm trying to rename realm VA.PUBNIX.COM to WEB.WCOM.NET. >How-To-Repeat: I used kdb5_util dump, changed the realm name in the ASCII dump file (and its length field) with sed. root@keymaster 1 $ kdb5_util -r VA.PUBNIX.COM dump /var/tmp/kdc.web root@keymaster 2 $ sed s/VA.PUBNIX.COM/WEB.WCOM.NET/g /var/tmp/kdc.dump | awk '/^princ/ { $3--; print} /^kdb5_util/ { print}' > /var/tmp/kdc.web.adj The first approach I tried for creating a database is to load the whole dump, master key and all, into an empty database on a different host: root@agamemnon 278 $ kdb5_util -r WEB.WCOM.NET load /var/tmp/kdc.web.adj root@agamemnon 279 $ kdb5_util -m stash Enter KDC database master key: kdb5_util: Decrypt integrity check failed while verifying master key Oops. Can't create the key stash file .k5.WEB.WCOM.NET. I'm not sure why. Try the old one? root@agamemnon 280 $ cp .k5.VA.PUBNIX.COM .k5.WEB.WCOM.NET root@agamemnon 282 $ skill -y krb5kdc root@agamemnon 283 $ /usr/local/krb5/libexec/krb5kdc krb5kdc: cannot initialize realm WEB.WCOM.NET Sep 3 20:51:44 agamemnon krb5kdc[6728]: Server not found in Kerberos database \ - while fetching TGS entry for realm WEB.WCOM.NET Didn't think that would work. root@agamemnon 287 $ rm .k5.WEB.WCOM.NET Okay, the second approach is to create a fresh database and leave the default entries in it: root@agamemnon 289 $ \rm princ* root@agamemnon 290 $ kdb5_util -r WEB.WCOM.NET create -s Initializing database '/opt/krb5/krb5kdc/principal' for realm 'WEB.WCOM.NET', master key name 'K/M@WEB.WCOM.NET' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: root@agamemnon 291 $ kadmin.local kadmin.local: listprincs krbtgt/WEB.WCOM.NET@WEB.WCOM.NET kadmin/admin@WEB.WCOM.NET kadmin/changepw@WEB.WCOM.NET kadmin/history@WEB.WCOM.NET K/M@WEB.WCOM.NET Then merge in the other entries from the existing realm dump, having removed the above entries from the existing realm dump first. root@agamemnon 299 $ kdb5_util -r WEB.WCOM.NET load -update /var/tmp/kdc.web.ad\ j.less root@agamemnon 301 $ /usr/local/krb5/libexec/krb5kdc root@agamemnon 302 $ kinit djm/root@WEB.WCOM.NET Password for djm/root@WEB.WCOM.NET: kinit: Password incorrect root@agamemnon 304 $ kinit djm@WEB.WCOM.NET Password for djm@WEB.WCOM.NET: kinit: Password incorrect Sep 3 20:59:23 agamemnon krb5kdc[6748]: AS_REQ 208.211.134.61(88): DECRYPT_CLI\ ENT_KEY: djm/root@WEB.WCOM.NET for krbtgt/WEB.WCOM.NET@WEB.WCOM.NET, Decrypt in\ tegrity check failed Sep 3 20:59:28 agamemnon krb5kdc[6748]: AS_REQ 208.211.134.61(88): DECRYPT_CLI\ ENT_KEY: djm@WEB.WCOM.NET for krbtgt/WEB.WCOM.NET@WEB.WCOM.NET, Decrypt integri\ ty check failed I also tried manually merging the existing realm dump with a dump from the newly created database, and loading those without -update. Same results. I also discovered that "strings" of the new .db file contains many references to VA.PUBNIX.COM, even though the dump file from which it was built does not, in plaintext. I suppose it's the principal that created and/or last modified each record. Now I'm out of ideas. >Fix: >Audit-Trail: From: Ken Hornstein To: "David J. MacKenzie" Cc: krb5-bugs@MIT.EDU Subject: Re: krb5-kdc/748: can a krb5 realm be renamed? Date: Thu, 09 Sep 1999 16:36:53 -0400 >>>> Synopsis: I can't figure out how to rename a realm in a KDC >> Short answer: "you can't" (this is in the FAQ, btw). > >FAQ? Where is that? I don't see one in the source distribution, >nor is there a URL in there. It's posted monthly to the newsgroup, and is archived in the standard places for FAQs. >Anyway, we figured out that it *is* possible. Here's how. >[...] I can only imagine this working if you have V4-salted keys. If you don't, none of those passwords should work. --Ken From: "David J. MacKenzie" To: Ken Hornstein Cc: djm@web.us.uu.net, krb5-bugs@MIT.EDU Subject: Re: krb5-kdc/748: can a krb5 realm be renamed? Date: Thu, 9 Sep 1999 16:33:07 -0400 (EDT) On Thu, 09 Sep 1999 12:09:21 -0400, Ken Hornstein said: >>> Synopsis: I can't figure out how to rename a realm in a KDC > Short answer: "you can't" (this is in the FAQ, btw). FAQ? Where is that? I don't see one in the source distribution, nor is there a URL in there. Anyway, we figured out that it *is* possible. Here's how. On the old KDC host: kdb5_util dump_v4 > old.v4 rcp -x old.v4 NEWHOST On the new KDC host: kdb5_util -r NEWREALM create -s kdb5_util dump_v4 > new.v4 cat new.v4 old.v4 > combined.v4 vi combined.v4 Use vi to merge the new master key and krbtgt and kadmin principals with the old data. rm principal* kdb5_util load_v4 combined.v4 kadmin.local modprinc -allow_tgs_req kadmin/admin modprinc +password_changing_service -allow_tgs_req kadmin/changepw ktadd -k kadm5.keytab kadmin/admin ktadd -k kadm5.keytab kadmin/changepw From: "David J. MacKenzie" To: Ken Hornstein Cc: "David J. MacKenzie" , krb5-bugs@MIT.EDU Subject: Re: krb5-kdc/748: can a krb5 realm be renamed? Date: Thu, 9 Sep 1999 16:52:05 -0400 (EDT) On Thu, 09 Sep 1999 16:36:53 -0400, Ken Hornstein said: > I can only imagine this working if you have V4-salted keys. If you don't, > none of those passwords should work. We have this in the [libdefaults] section of our krb5.conf. I don't know if that's what you mean or not. default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc We did originally migrate our v5 KDC from a v4 KDC. However, principals created since the v4->v5 migration also work after the realm name change. >Unformatted: