[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: MIT & Heimdal playing together?
Thank you very much for your suggestions, Henry & Ben!
No luck yet finding an option to dump the MIT database decrypted.
As I understand it, our problem is that our MIT database is encrypted
with an MIT master key, but the Heimdal tools - kadmin & kinit -
require a database encrypted with a Heimdal master key.
I assume our MIT master key is des3-hmac-sha1:
kdc.conf: master_key_type = des3-hmac-sha1
& our Heimdal master key is des-cbc-crc:
kdc.conf: #master_key_type = des-cbc-crc
Both MIT tools - kdb5_utils - & Heimdal tools - hprop - sport options
to convert the database, but either they don't work, or I am using them
incorrectly.
I tried Ben's suggestion, using hprop -m & our MIT master key to
decrypt the database:
fis:~# kstash
Master key:
Verifying - Master key:
kstash: writing key to `/var/lib/heimdal-kdc/m-key'
fis:~# ssh tor kdb5_util dump -b7 > datatrans
root@tor's password:
fis:~# scp tor:/etc/krb5kdc/stash .
root@tor's password:
fis:~# hprop -m stash -d datatrans --source=mit-dump -n | hpropd -n
fis:~# kadmin -l
kadmin> list *
kadmin: get host/fis.lat@LAT: No correct master key
kadmin: get host/tor.lat@LAT: No correct master key
kadmin: get imap/tor.lat@LAT: No correct master key
[...]
I also tried using hprop -m & our Heimdal master key to decrypt the
database, with identical results:
fis:~# hprop -m /var/lib/heimdal-kdc/m-key -d datatrans
--source=mit-dump -n | hpropd -n
fis:~# kadmin -l
kadmin> list *
kadmin: get host/fis.lat@LAT: No correct master key
kadmin: get host/tor.lat@LAT: No correct master key
kadmin: get imap/tor.lat@LAT: No correct master key
[...]
& I tried creating a Heimdal des3-hmac-sha1 master key, for use with
hprop -m:
fis:~# kstash -e des3-hmac-sha1
kstash: krb5_string_to_enctype: encryption type des3-hmac-sha1 not
supported
I tried using kdb5_util -mkey_convert -new_mkey_file & our Heimdal
master key to re-encrypt the database:
fis:~# scp /var/lib/heimdal-kdc/m-key tor:
root@tor's password:
fis:~# ssh tor kdb5_util dump -b7 -mkey_convert -new_mkey_file m-key >
datatrans
root@tor's password:
dump: Stored master key is corrupted while reading new master key
& I can't figure out how to create an MIT des-cbc-crc master key, for
use with kdb5_util -mkey_convert -new_mkey_file.
Additional suggestions or insight much appreciated!
Jack
On Oct 8, 2004, at 10:48 AM, Benjamin P Myers wrote:
> I think you can also use hprop with the -m flag to decrypt mit's dump
> with
> your old master key. It worked fine for me converting from a mit
> 1.2.7 kdc
> with whatever the default master key type was. You may or may not
> have the
> strange suse 9.0 issue described here:
>
> http://www.stacken.kth.se/lists/heimdal-discuss/2003-10/msg00052.html
>
> On Thursday 07 October 2004 06:57 pm, Henry B. Hotz wrote:
>> On Oct 6, 2004, at 3:37 PM, ms419@freezone.co.uk wrote:
>>> I suspect the problem is that the KDCs use different encryption
>>> types.
>>> Our MIT KDC uses des3-hmac-sha1:
>>>
>>> kdc.conf: master_key_type = des3-hmac-sha1
>>>
>>> While I guess our Heimdal KDC uses des-cbc-crc:
>>>
>>> kdc.conf: #master_key_type = des-cbc-crc
>>>
>>> I found this lone message concerning transferring Kerberos databases
>>> from MIT to Heimdal:
>>> http://www.stacken.kth.se/lists/heimdal-discuss/2001-10/msg00049.html
>>>
>>> However I haven't succeeded in re-keying our database. I thought I
>>> need to create a new des-cbc-crc master key with which to re-key our
>>> database, but kdb5_util stash doesn't allow this.
>>>
>>> Has anyone here any suggestions? Or should I ask on the MIT list?
>>
>> Is there an MIT option to do the dump in decrypted form? That might
>> be
>> something to ask on the MIT kerberos list if you can't find one. Then
>> you just let Heimdal re-encrypt it. No need to transfer master keys
>> at
>> all.
>>
>> On Heimdal the master key file is just a normal keytab. You can use
>> all the normal tools to create it with the right kvno/enctype to match
>> your old MIT key.