From djm@web.us.uu.net Thu Sep 9 12:04:17 1999
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id MAA22467 for <bugs@RT-11.MIT.EDU>; Thu, 9 Sep 1999 12:04:16 -0400
Received: from catapult.web.us.uu.net by MIT.EDU with SMTP
id AA02700; Thu, 9 Sep 99 12:03:57 EDT
Received: by catapult.web.us.uu.net
id MAA24549; Thu, 9 Sep 1999 12:04:05 -0400 (EDT)
Message-Id: <MAA24549.199909091604@catapult.web.us.uu.net>
Date: Thu, 9 Sep 1999 12:04:05 -0400 (EDT)
From: djm@web.us.uu.net (David J. MacKenzie)
Reply-To: djm@web.us.uu.net
To: krb5-bugs@MIT.EDU
Cc: djm@web.us.uu.net
Subject: can a krb5 realm be renamed?
X-Send-Pr-Version: 3.99
the principals in it. Nothing I've tried so far has worked.
I'm trying to rename realm VA.PUBNIX.COM to WEB.WCOM.NET.
in the ASCII dump file (and its length field) with sed.
root@keymaster 1 $ kdb5_util -r VA.PUBNIX.COM dump /var/tmp/kdc.web
root@keymaster 2 $ sed s/VA.PUBNIX.COM/WEB.WCOM.NET/g /var/tmp/kdc.dump |
awk '/^princ/ { $3--; print} /^kdb5_util/ { print}' > /var/tmp/kdc.web.adj
The first approach I tried for creating a database is to load the
whole dump, master key and all, into an empty database on a
different host:
root@agamemnon 278 $ kdb5_util -r WEB.WCOM.NET load /var/tmp/kdc.web.adj
root@agamemnon 279 $ kdb5_util -m stash
Enter KDC database master key:
kdb5_util: Decrypt integrity check failed while verifying master key
Oops. Can't create the key stash file .k5.WEB.WCOM.NET. I'm not sure
why. Try the old one?
root@agamemnon 280 $ cp .k5.VA.PUBNIX.COM .k5.WEB.WCOM.NET
root@agamemnon 282 $ skill -y krb5kdc
root@agamemnon 283 $ /usr/local/krb5/libexec/krb5kdc
krb5kdc: cannot initialize realm WEB.WCOM.NET
Sep 3 20:51:44 agamemnon krb5kdc[6728]: Server not found in Kerberos database \
- while fetching TGS entry for realm WEB.WCOM.NET
Didn't think that would work.
root@agamemnon 287 $ rm .k5.WEB.WCOM.NET
Okay, the second approach is to create a fresh database and leave the
default entries in it:
root@agamemnon 289 $ \rm princ*
root@agamemnon 290 $ kdb5_util -r WEB.WCOM.NET create -s
Initializing database '/opt/krb5/krb5kdc/principal' for realm 'WEB.WCOM.NET',
master key name 'K/M@WEB.WCOM.NET'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
root@agamemnon 291 $ kadmin.local
kadmin.local: listprincs
krbtgt/WEB.WCOM.NET@WEB.WCOM.NET
kadmin/admin@WEB.WCOM.NET
kadmin/changepw@WEB.WCOM.NET
kadmin/history@WEB.WCOM.NET
K/M@WEB.WCOM.NET
Then merge in the other entries from the existing realm dump, having
removed the above entries from the existing realm dump first.
root@agamemnon 299 $ kdb5_util -r WEB.WCOM.NET load -update /var/tmp/kdc.web.ad\
j.less
root@agamemnon 301 $ /usr/local/krb5/libexec/krb5kdc
root@agamemnon 302 $ kinit djm/root@WEB.WCOM.NET
Password for djm/root@WEB.WCOM.NET:
kinit: Password incorrect
root@agamemnon 304 $ kinit djm@WEB.WCOM.NET
Password for djm@WEB.WCOM.NET:
kinit: Password incorrect
Sep 3 20:59:23 agamemnon krb5kdc[6748]: AS_REQ 208.211.134.61(88): DECRYPT_CLI\
ENT_KEY: djm/root@WEB.WCOM.NET for krbtgt/WEB.WCOM.NET@WEB.WCOM.NET, Decrypt in\
tegrity check failed
Sep 3 20:59:28 agamemnon krb5kdc[6748]: AS_REQ 208.211.134.61(88): DECRYPT_CLI\
ENT_KEY: djm@WEB.WCOM.NET for krbtgt/WEB.WCOM.NET@WEB.WCOM.NET, Decrypt integri\
ty check failed
I also tried manually merging the existing realm dump with a dump from the
newly created database, and loading those without -update. Same results.
I also discovered that "strings" of the new .db file contains many
references to VA.PUBNIX.COM, even though the dump file from which it
was built does not, in plaintext. I suppose it's the principal that
created and/or last modified each record.
Now I'm out of ideas.
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
To: "David J. MacKenzie" <djm@web.us.uu.net>
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-kdc/748: can a krb5 realm be renamed?
Date: Thu, 09 Sep 1999 16:36:53 -0400
>
>FAQ? Where is that? I don't see one in the source distribution,
>nor is there a URL in there.
It's posted monthly to the newsgroup, and is archived in the standard
places for FAQs.
I can only imagine this working if you have V4-salted keys. If you don't,
none of those passwords should work.
--Ken
From: "David J. MacKenzie" <djm@web.us.uu.net>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: djm@web.us.uu.net, krb5-bugs@MIT.EDU
Subject: Re: krb5-kdc/748: can a krb5 realm be renamed?
Date: Thu, 9 Sep 1999 16:33:07 -0400 (EDT)
On Thu, 09 Sep 1999 12:09:21 -0400, Ken Hornstein <kenh@cmf.nrl.navy.mil> said:
FAQ? Where is that? I don't see one in the source distribution,
nor is there a URL in there.
Anyway, we figured out that it *is* possible. Here's how.
On the old KDC host:
kdb5_util dump_v4 > old.v4
rcp -x old.v4 NEWHOST
On the new KDC host:
kdb5_util -r NEWREALM create -s
kdb5_util dump_v4 > new.v4
cat new.v4 old.v4 > combined.v4
vi combined.v4
Use vi to merge the new master key and krbtgt and kadmin principals
with the old data.
rm principal*
kdb5_util load_v4 combined.v4
kadmin.local
modprinc -allow_tgs_req kadmin/admin
modprinc +password_changing_service -allow_tgs_req kadmin/changepw
ktadd -k kadm5.keytab kadmin/admin
ktadd -k kadm5.keytab kadmin/changepw
From: "David J. MacKenzie" <djm@web.us.uu.net>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: "David J. MacKenzie" <djm@web.us.uu.net>, krb5-bugs@MIT.EDU
Subject: Re: krb5-kdc/748: can a krb5 realm be renamed?
Date: Thu, 9 Sep 1999 16:52:05 -0400 (EDT)
On Thu, 09 Sep 1999 16:36:53 -0400, Ken Hornstein <kenh@cmf.nrl.navy.mil> said:
We have this in the [libdefaults] section of our krb5.conf. I don't
know if that's what you mean or not.
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
We did originally migrate our v5 KDC from a v4 KDC. However,
principals created since the v4->v5 migration also work after the
realm name change.
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id MAA22467 for <bugs@RT-11.MIT.EDU>; Thu, 9 Sep 1999 12:04:16 -0400
Received: from catapult.web.us.uu.net by MIT.EDU with SMTP
id AA02700; Thu, 9 Sep 99 12:03:57 EDT
Received: by catapult.web.us.uu.net
id MAA24549; Thu, 9 Sep 1999 12:04:05 -0400 (EDT)
Message-Id: <MAA24549.199909091604@catapult.web.us.uu.net>
Date: Thu, 9 Sep 1999 12:04:05 -0400 (EDT)
From: djm@web.us.uu.net (David J. MacKenzie)
Reply-To: djm@web.us.uu.net
To: krb5-bugs@MIT.EDU
Cc: djm@web.us.uu.net
Subject: can a krb5 realm be renamed?
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 748
>Category: krb5-kdc
>Synopsis: I can't figure out how to rename a realm in a KDC
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: support
>Submitter-Id: unknown
>Arrival-Date: Thu Sep 09 12:05:01 EDT 1999
>Last-Modified: Thu Sep 09 16:53:01 EDT 1999
>Originator: David MacKenzie
>Organization:
UUNET Technologies>Category: krb5-kdc
>Synopsis: I can't figure out how to rename a realm in a KDC
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: support
>Submitter-Id: unknown
>Arrival-Date: Thu Sep 09 12:05:01 EDT 1999
>Last-Modified: Thu Sep 09 16:53:01 EDT 1999
>Originator: David MacKenzie
>Organization:
Show quoted text
>Release: krb5-1.0.5
>Environment:
System: BSD/OS catapult.web.us.uu.net 4.0.1 BSDI BSD/OS 4.0.1 Kernel #7: Fri Apr 16 17:29:04 EDT 1999 lidl@enniskillen.eng.us.uu.net:/usr/src/bsdi/sys/compile/DESKTOP i386>Environment:
Show quoted text
>Description:
I'd like to change the name of a realm without invalidating all ofthe principals in it. Nothing I've tried so far has worked.
I'm trying to rename realm VA.PUBNIX.COM to WEB.WCOM.NET.
Show quoted text
>How-To-Repeat:
I used kdb5_util dump, changed the realm namein the ASCII dump file (and its length field) with sed.
root@keymaster 1 $ kdb5_util -r VA.PUBNIX.COM dump /var/tmp/kdc.web
root@keymaster 2 $ sed s/VA.PUBNIX.COM/WEB.WCOM.NET/g /var/tmp/kdc.dump |
awk '/^princ/ { $3--; print} /^kdb5_util/ { print}' > /var/tmp/kdc.web.adj
The first approach I tried for creating a database is to load the
whole dump, master key and all, into an empty database on a
different host:
root@agamemnon 278 $ kdb5_util -r WEB.WCOM.NET load /var/tmp/kdc.web.adj
root@agamemnon 279 $ kdb5_util -m stash
Enter KDC database master key:
kdb5_util: Decrypt integrity check failed while verifying master key
Oops. Can't create the key stash file .k5.WEB.WCOM.NET. I'm not sure
why. Try the old one?
root@agamemnon 280 $ cp .k5.VA.PUBNIX.COM .k5.WEB.WCOM.NET
root@agamemnon 282 $ skill -y krb5kdc
root@agamemnon 283 $ /usr/local/krb5/libexec/krb5kdc
krb5kdc: cannot initialize realm WEB.WCOM.NET
Sep 3 20:51:44 agamemnon krb5kdc[6728]: Server not found in Kerberos database \
- while fetching TGS entry for realm WEB.WCOM.NET
Didn't think that would work.
root@agamemnon 287 $ rm .k5.WEB.WCOM.NET
Okay, the second approach is to create a fresh database and leave the
default entries in it:
root@agamemnon 289 $ \rm princ*
root@agamemnon 290 $ kdb5_util -r WEB.WCOM.NET create -s
Initializing database '/opt/krb5/krb5kdc/principal' for realm 'WEB.WCOM.NET',
master key name 'K/M@WEB.WCOM.NET'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
root@agamemnon 291 $ kadmin.local
kadmin.local: listprincs
krbtgt/WEB.WCOM.NET@WEB.WCOM.NET
kadmin/admin@WEB.WCOM.NET
kadmin/changepw@WEB.WCOM.NET
kadmin/history@WEB.WCOM.NET
K/M@WEB.WCOM.NET
Then merge in the other entries from the existing realm dump, having
removed the above entries from the existing realm dump first.
root@agamemnon 299 $ kdb5_util -r WEB.WCOM.NET load -update /var/tmp/kdc.web.ad\
j.less
root@agamemnon 301 $ /usr/local/krb5/libexec/krb5kdc
root@agamemnon 302 $ kinit djm/root@WEB.WCOM.NET
Password for djm/root@WEB.WCOM.NET:
kinit: Password incorrect
root@agamemnon 304 $ kinit djm@WEB.WCOM.NET
Password for djm@WEB.WCOM.NET:
kinit: Password incorrect
Sep 3 20:59:23 agamemnon krb5kdc[6748]: AS_REQ 208.211.134.61(88): DECRYPT_CLI\
ENT_KEY: djm/root@WEB.WCOM.NET for krbtgt/WEB.WCOM.NET@WEB.WCOM.NET, Decrypt in\
tegrity check failed
Sep 3 20:59:28 agamemnon krb5kdc[6748]: AS_REQ 208.211.134.61(88): DECRYPT_CLI\
ENT_KEY: djm@WEB.WCOM.NET for krbtgt/WEB.WCOM.NET@WEB.WCOM.NET, Decrypt integri\
ty check failed
I also tried manually merging the existing realm dump with a dump from the
newly created database, and loading those without -update. Same results.
I also discovered that "strings" of the new .db file contains many
references to VA.PUBNIX.COM, even though the dump file from which it
was built does not, in plaintext. I suppose it's the principal that
created and/or last modified each record.
Now I'm out of ideas.
Show quoted text
>Fix:
>Audit-Trail:
>Audit-Trail:
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
To: "David J. MacKenzie" <djm@web.us.uu.net>
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-kdc/748: can a krb5 realm be renamed?
Date: Thu, 09 Sep 1999 16:36:53 -0400
Show quoted text
>>>> Synopsis: I can't figure out how to rename a realm in a KDC
>> Short answer: "you can't" (this is in the FAQ, btw).>FAQ? Where is that? I don't see one in the source distribution,
>nor is there a URL in there.
It's posted monthly to the newsgroup, and is archived in the standard
places for FAQs.
Show quoted text
>Anyway, we figured out that it *is* possible. Here's how.
>[...]
>[...]
I can only imagine this working if you have V4-salted keys. If you don't,
none of those passwords should work.
--Ken
From: "David J. MacKenzie" <djm@web.us.uu.net>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: djm@web.us.uu.net, krb5-bugs@MIT.EDU
Subject: Re: krb5-kdc/748: can a krb5 realm be renamed?
Date: Thu, 9 Sep 1999 16:33:07 -0400 (EDT)
On Thu, 09 Sep 1999 12:09:21 -0400, Ken Hornstein <kenh@cmf.nrl.navy.mil> said:
Show quoted text
>>> Synopsis: I can't figure out how to rename a realm in a KDC
> Short answer: "you can't" (this is in the FAQ, btw).FAQ? Where is that? I don't see one in the source distribution,
nor is there a URL in there.
Anyway, we figured out that it *is* possible. Here's how.
On the old KDC host:
kdb5_util dump_v4 > old.v4
rcp -x old.v4 NEWHOST
On the new KDC host:
kdb5_util -r NEWREALM create -s
kdb5_util dump_v4 > new.v4
cat new.v4 old.v4 > combined.v4
vi combined.v4
Use vi to merge the new master key and krbtgt and kadmin principals
with the old data.
rm principal*
kdb5_util load_v4 combined.v4
kadmin.local
modprinc -allow_tgs_req kadmin/admin
modprinc +password_changing_service -allow_tgs_req kadmin/changepw
ktadd -k kadm5.keytab kadmin/admin
ktadd -k kadm5.keytab kadmin/changepw
From: "David J. MacKenzie" <djm@web.us.uu.net>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: "David J. MacKenzie" <djm@web.us.uu.net>, krb5-bugs@MIT.EDU
Subject: Re: krb5-kdc/748: can a krb5 realm be renamed?
Date: Thu, 9 Sep 1999 16:52:05 -0400 (EDT)
On Thu, 09 Sep 1999 16:36:53 -0400, Ken Hornstein <kenh@cmf.nrl.navy.mil> said:
Show quoted text
> I can only imagine this working if you have V4-salted keys. If you don't,
> none of those passwords should work.
> none of those passwords should work.
We have this in the [libdefaults] section of our krb5.conf. I don't
know if that's what you mean or not.
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
We did originally migrate our v5 KDC from a v4 KDC. However,
principals created since the v4->v5 migration also work after the
realm name change.
Show quoted text
>Unformatted: