Thanks Greg! I also found this procedure, we'll use modprinc on the other actual user/service principals, and then follow this for modifying the krbtgt.
http://web.mit.edu/kerberos/krb5-1.13/doc/admin/database.html#changing-krbtgt-key On Wed, Jun 1, 2016 at 12:25 PM, Greg Hudson <ghud...@mit.edu> wrote: > On 06/01/2016 02:13 PM, Todd Grayson wrote: > > Is there any kind of guidance or rules of thumb around deleting and > > re-creating the default krbtgt principal for a KDC? I've not been able > to > > find specific discussion on doing this, or what the requirements would be > > for properly re-creating the entry. > > > > The issue has to do with wanting to reset a number of values in the entry > > rather than using modprinc so many times over the entry. > > > > Or is this a "don't do it" kind of thing? > > I would recommend against it. At best you would be invalidating all > existing TGTs; at worst you could get stuck in an uncoverable state, > with no way to access the KDC host or connect to kadmin. > > You can make multiple modifications to an entry in a single modprinc > operation. Even if you make the modifications one at a time, I wouldn't > expect any problems from performing a dozen or so modprinc operations on > the same entry in quick succession. > -- Todd Grayson Business Operations Manager Customer Operations Engineering Security SME ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos