Propagate MIT Database to Heimdal?

ms419 Sun, 17 Oct 2004 15:14:45 -0700

We are trying to propagate our Kerberos database from MIT to Heimdal. As I understand it, our problem is that our MIT database is encrypted with an MIT master key, but the Heimdal tools - kadmin & kinit - require a database encrypted with a Heimdal master key.

I assume our MIT master key is des3-hmac-sha1:

        kdc.conf: master_key_type = des3-hmac-sha1

& our Heimdal master key is des-cbc-crc:

        kdc.conf: #master_key_type = des-cbc-crc

Both MIT tools - kdb5_utils - & Heimdal tools - hprop - sport options to convert the database, but either they don't work, or I am using them incorrectly.

Henry on the Heimdal list suggested dumping the MIT database unencrypted, but I haven't found an option to do this.

I tried using kdb5_util -mkey_convert -new_mkey_file & our Heimdal master key to re-encrypt the database:

fis:~# kstash Master key: Verifying - Master key: kstash: writing key to `/var/lib/heimdal-kdc/m-key' fis:~# scp /var/lib/heimdal-kdc/m-key tor: [EMAIL PROTECTED]'s password: fis:~# ssh tor kdb5_util dump -b7 -mkey_convert -new_mkey_file m-key > datatrans [EMAIL PROTECTED]'s password: dump: Stored master key is corrupted while reading new master key

& I can't figure out how to create an MIT des-cbc-crc master key, for use with kdb5_util -mkey_convert -new_mkey_file.

I tried using hprop -m & our MIT master key to decrypt the database:

        fis:~# ssh tor kdb5_util dump -b7 > datatrans
        [EMAIL PROTECTED]'s password:
        fis:~# scp tor:/etc/krb5kdc/stash .
        [EMAIL PROTECTED]'s password:
        fis:~# hprop -m stash -d datatrans --source=mit-dump -n | hpropd -n
        fis:~# kadmin -l
        kadmin> list *
        kadmin: get host/[EMAIL PROTECTED]: No correct master key
        kadmin: get host/[EMAIL PROTECTED]: No correct master key
        kadmin: get imap/[EMAIL PROTECTED]: No correct master key
        [...]

I also tried using hprop -m & our Heimdal master key to decrypt the database, with identical results:

fis:~# hprop -m /var/lib/heimdal-kdc/m-key -d datatrans --source=mit-dump -n | hpropd -n fis:~# kadmin -l kadmin> list * kadmin: get host/[EMAIL PROTECTED]: No correct master key kadmin: get host/[EMAIL PROTECTED]: No correct master key kadmin: get imap/[EMAIL PROTECTED]: No correct master key [...]

& I tried creating a Heimdal des3-hmac-sha1 master key, for use with hprop -m:

fis:~# kstash -e des3-hmac-sha1 kstash: krb5_string_to_enctype: encryption type des3-hmac-sha1 not supported

Can MIT dump the database in an unencrypted format? Can MIT re-encrypt the database with a des-cbc-crc master key? Can MIT re-encrypt the database with a Heimdal master key?

Any suggestions how to propagate our database to Heimdal much appreciated!

Many thanks,

Jack

________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Propagate MIT Database to Heimdal?

Reply via email to