Skip Menu |
 

Subject: kdb5_util update_princ_encryption uses latest mkey instead of active mkey
Another bug which Tom found, and I've investigated a little bit:

1. kdb5_util add_mkey -s
2. kdb5_util update_princ_encryption

The second command updates all of the principles to the new key even
though it hasn't been activated with use_mkey yet.
Also, if you "kdb5_util purge_mkeys" after those two operations, you get a
bad error message:

Purging the follwing master key(s) from K/M@KRBTEST.COM:
KVNO: 1
kdb5_util: Invalid argument while updating actkvno data for master
principal entry

This happens because kdb5_purge_mkeys computes an empty active mkvno and
krb5_db_fetch_mkey_list rejects it with EINVAL.

This is technically a separate bug, but would be difficult to reproduce if
the update_princ_encryption bug is fixed, so I'm noting it here.
From: ghudson@mit.edu
Subject: git commit

Use active master key in update_princ_encryption

kdb5_util update_princ_encryption should update to the active master
key version, not the most recent.

https://github.com/krb5/krb5/commit/4ccc18bc3ddc49d0fd0d2de00ec91c0fa44c53a8
Author: Greg Hudson <ghudson@mit.edu>
Commit: 4ccc18bc3ddc49d0fd0d2de00ec91c0fa44c53a8
Branch: master
doc/admin/admin_commands/kdb5_util.rst | 4 ++--
src/kadmin/dbutil/kdb5_mkey.c | 15 +++++----------
2 files changed, 7 insertions(+), 12 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Use active master key in update_princ_encryption

kdb5_util update_princ_encryption should update to the active master
key version, not the most recent.

(cherry picked from commit 4ccc18bc3ddc49d0fd0d2de00ec91c0fa44c53a8)

https://github.com/krb5/krb5/commit/fa728fc6cc8a3379d10cae7876be32d379fc51be
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: fa728fc6cc8a3379d10cae7876be32d379fc51be
Branch: krb5-1.12
doc/admin/admin_commands/kdb5_util.rst | 4 ++--
src/kadmin/dbutil/kdb5_mkey.c | 15 +++++----------
2 files changed, 7 insertions(+), 12 deletions(-)