(Sorry for the slow response.) On 10/01/2018 08:54 PM, Eric Hattemer wrote: > We have a production Kerberos cluster, and a test cluster. I'd like to > refresh test from production without overwriting those principals that > are specific to test. We also have something wrong with our production > master database where it will respond to 'kdb5_util dump -verbose' > commands by either hanging or looping.
Release 1.15 added (well, re-added) "kdb5_util dump -recurse" which can help with this situation. The DB2 format contains iteration pointers as well as parent-child pointers; if the iteration pointers are corrupt, lookups work but iteration does not. Dumping with the -recurse option forces the use of the parent-child pointers for iteration. > kdb5_util: Decrypt integrity check failed while converting b@REALM to > new master key > kdb5_util: Decrypt integrity check failed performing Kerberos version 5 > release 1.11 dump > That account is involved in some automated testing. Dumps failed both > before and after the account successfully changed its password and > logged in. So the principal works, it just can't be dumped with > mkey_convert. The whole database dumps fine without mkey_convert. I > had two mkeys loaded in the database. I tried: > > sudo kdb5_util use_mkey 1 > sudo kdb5_util update_princ_encryption b@REALM > > and it converted just fine. I don't have any good theories here. krb5_util dump -mkey_convert and kdb5_util update_princ_encryption both use similar code paths to decrypt the existing key entries (src/kadmin/dbutil/dump.c:master_key_convert()), so it's strange that one would fail and the other would succeed. There was a bug related to the -keepold flag which we fixed in 1.13: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7995 but I would expect that problem to apply to update_princ_encryption, and you didn't mention using the -keepold flag. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
