Skip Menu |
 

Download (untitled) / with headers
text/plain 7.2KiB
From djm@web.us.uu.net Thu Sep 9 12:04:17 1999
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id MAA22467 for <bugs@RT-11.MIT.EDU>; Thu, 9 Sep 1999 12:04:16 -0400
Received: from catapult.web.us.uu.net by MIT.EDU with SMTP
id AA02700; Thu, 9 Sep 99 12:03:57 EDT
Received: by catapult.web.us.uu.net
id MAA24549; Thu, 9 Sep 1999 12:04:05 -0400 (EDT)
Message-Id: <MAA24549.199909091604@catapult.web.us.uu.net>
Date: Thu, 9 Sep 1999 12:04:05 -0400 (EDT)
From: djm@web.us.uu.net (David J. MacKenzie)
Reply-To: djm@web.us.uu.net
To: krb5-bugs@MIT.EDU
Cc: djm@web.us.uu.net
Subject: can a krb5 realm be renamed?
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 748
>Category: krb5-kdc
>Synopsis: I can't figure out how to rename a realm in a KDC
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: support
>Submitter-Id: unknown
>Arrival-Date: Thu Sep 09 12:05:01 EDT 1999
>Last-Modified: Thu Sep 09 16:53:01 EDT 1999
>Originator: David MacKenzie
>Organization:
UUNET Technologies
Show quoted text
>Release: krb5-1.0.5
>Environment:
System: BSD/OS catapult.web.us.uu.net 4.0.1 BSDI BSD/OS 4.0.1 Kernel #7: Fri Apr 16 17:29:04 EDT 1999 lidl@enniskillen.eng.us.uu.net:/usr/src/bsdi/sys/compile/DESKTOP i386


Show quoted text
>Description:
I'd like to change the name of a realm without invalidating all of
the principals in it. Nothing I've tried so far has worked.
I'm trying to rename realm VA.PUBNIX.COM to WEB.WCOM.NET.
Show quoted text
>How-To-Repeat:
I used kdb5_util dump, changed the realm name
in the ASCII dump file (and its length field) with sed.

root@keymaster 1 $ kdb5_util -r VA.PUBNIX.COM dump /var/tmp/kdc.web
root@keymaster 2 $ sed s/VA.PUBNIX.COM/WEB.WCOM.NET/g /var/tmp/kdc.dump |
awk '/^princ/ { $3--; print} /^kdb5_util/ { print}' > /var/tmp/kdc.web.adj

The first approach I tried for creating a database is to load the
whole dump, master key and all, into an empty database on a
different host:

root@agamemnon 278 $ kdb5_util -r WEB.WCOM.NET load /var/tmp/kdc.web.adj
root@agamemnon 279 $ kdb5_util -m stash
Enter KDC database master key:
kdb5_util: Decrypt integrity check failed while verifying master key

Oops. Can't create the key stash file .k5.WEB.WCOM.NET. I'm not sure
why. Try the old one?

root@agamemnon 280 $ cp .k5.VA.PUBNIX.COM .k5.WEB.WCOM.NET
root@agamemnon 282 $ skill -y krb5kdc
root@agamemnon 283 $ /usr/local/krb5/libexec/krb5kdc
krb5kdc: cannot initialize realm WEB.WCOM.NET
Sep 3 20:51:44 agamemnon krb5kdc[6728]: Server not found in Kerberos database \
- while fetching TGS entry for realm WEB.WCOM.NET

Didn't think that would work.
root@agamemnon 287 $ rm .k5.WEB.WCOM.NET

Okay, the second approach is to create a fresh database and leave the
default entries in it:

root@agamemnon 289 $ \rm princ*
root@agamemnon 290 $ kdb5_util -r WEB.WCOM.NET create -s
Initializing database '/opt/krb5/krb5kdc/principal' for realm 'WEB.WCOM.NET',
master key name 'K/M@WEB.WCOM.NET'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

root@agamemnon 291 $ kadmin.local
kadmin.local: listprincs
krbtgt/WEB.WCOM.NET@WEB.WCOM.NET
kadmin/admin@WEB.WCOM.NET
kadmin/changepw@WEB.WCOM.NET
kadmin/history@WEB.WCOM.NET
K/M@WEB.WCOM.NET

Then merge in the other entries from the existing realm dump, having
removed the above entries from the existing realm dump first.

root@agamemnon 299 $ kdb5_util -r WEB.WCOM.NET load -update /var/tmp/kdc.web.ad\
j.less
root@agamemnon 301 $ /usr/local/krb5/libexec/krb5kdc
root@agamemnon 302 $ kinit djm/root@WEB.WCOM.NET
Password for djm/root@WEB.WCOM.NET:
kinit: Password incorrect
root@agamemnon 304 $ kinit djm@WEB.WCOM.NET
Password for djm@WEB.WCOM.NET:
kinit: Password incorrect

Sep 3 20:59:23 agamemnon krb5kdc[6748]: AS_REQ 208.211.134.61(88): DECRYPT_CLI\
ENT_KEY: djm/root@WEB.WCOM.NET for krbtgt/WEB.WCOM.NET@WEB.WCOM.NET, Decrypt in\
tegrity check failed
Sep 3 20:59:28 agamemnon krb5kdc[6748]: AS_REQ 208.211.134.61(88): DECRYPT_CLI\
ENT_KEY: djm@WEB.WCOM.NET for krbtgt/WEB.WCOM.NET@WEB.WCOM.NET, Decrypt integri\
ty check failed

I also tried manually merging the existing realm dump with a dump from the
newly created database, and loading those without -update. Same results.

I also discovered that "strings" of the new .db file contains many
references to VA.PUBNIX.COM, even though the dump file from which it
was built does not, in plaintext. I suppose it's the principal that
created and/or last modified each record.

Now I'm out of ideas.
Show quoted text
>Fix:
>Audit-Trail:

From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
To: "David J. MacKenzie" <djm@web.us.uu.net>
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-kdc/748: can a krb5 realm be renamed?
Date: Thu, 09 Sep 1999 16:36:53 -0400

Show quoted text
>>>> Synopsis: I can't figure out how to rename a realm in a KDC
>> Short answer: "you can't" (this is in the FAQ, btw).
>
>FAQ? Where is that? I don't see one in the source distribution,
>nor is there a URL in there.

It's posted monthly to the newsgroup, and is archived in the standard
places for FAQs.

Show quoted text
>Anyway, we figured out that it *is* possible. Here's how.
>[...]

I can only imagine this working if you have V4-salted keys. If you don't,
none of those passwords should work.

--Ken

From: "David J. MacKenzie" <djm@web.us.uu.net>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: djm@web.us.uu.net, krb5-bugs@MIT.EDU
Subject: Re: krb5-kdc/748: can a krb5 realm be renamed?
Date: Thu, 9 Sep 1999 16:33:07 -0400 (EDT)

On Thu, 09 Sep 1999 12:09:21 -0400, Ken Hornstein <kenh@cmf.nrl.navy.mil> said:

Show quoted text
>>> Synopsis: I can't figure out how to rename a realm in a KDC
> Short answer: "you can't" (this is in the FAQ, btw).

FAQ? Where is that? I don't see one in the source distribution,
nor is there a URL in there.

Anyway, we figured out that it *is* possible. Here's how.

On the old KDC host:

kdb5_util dump_v4 > old.v4
rcp -x old.v4 NEWHOST

On the new KDC host:

kdb5_util -r NEWREALM create -s
kdb5_util dump_v4 > new.v4
cat new.v4 old.v4 > combined.v4
vi combined.v4
Use vi to merge the new master key and krbtgt and kadmin principals
with the old data.
rm principal*
kdb5_util load_v4 combined.v4

kadmin.local
modprinc -allow_tgs_req kadmin/admin
modprinc +password_changing_service -allow_tgs_req kadmin/changepw
ktadd -k kadm5.keytab kadmin/admin
ktadd -k kadm5.keytab kadmin/changepw

From: "David J. MacKenzie" <djm@web.us.uu.net>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: "David J. MacKenzie" <djm@web.us.uu.net>, krb5-bugs@MIT.EDU
Subject: Re: krb5-kdc/748: can a krb5 realm be renamed?
Date: Thu, 9 Sep 1999 16:52:05 -0400 (EDT)

On Thu, 09 Sep 1999 16:36:53 -0400, Ken Hornstein <kenh@cmf.nrl.navy.mil> said:

Show quoted text
> I can only imagine this working if you have V4-salted keys. If you don't,
> none of those passwords should work.

We have this in the [libdefaults] section of our krb5.conf. I don't
know if that's what you mean or not.

default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc

We did originally migrate our v5 KDC from a v4 KDC. However,
principals created since the v4->v5 migration also work after the
realm name change.
Show quoted text
>Unformatted: