Hi,

I have been trying to change the Kerberos Master Key of my FreeIPA
installation, without success.

On test installations, I have tried following the instructions on
http://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html#updating-the-master-key,
but from the "kdb5_util update_princ_encryption" step onwards all kdb5_util
commands fail with "kdb5_util: No matching key in entry while looking up
active master key", and even "kdb5_util list_mkeys" fails to run after that
point.

I found https://fedorahosted.org/freeipa/ticket/4976 to document the
mechanism to change the Kerberos Master Key. It mentions that "Currently
the procedure is very hard and manual", but does not explain what the very
hard and manual way to change the key is.

Is it currently possible to change the Kerberos Master Key? If not, is it
okay to have a weak password set as the Kerberos Master Key if I secure
access to my FreeIPA server?


Thanks,
Nicholas.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to