[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: More Possible Issues with 20060826 snapshot

To: Love Hörnquist Åstrand <lha@kth.se>
Subject: Re: More Possible Issues with 20060826 snapshot
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Tue, 26 Sep 2006 10:31:10 -0700
Cc: Heimdal-discuss list <heimdal-discuss@sics.se>
In-Reply-To: <6227E599-7164-4F88-BE3C-671AC5F5208F@kth.se>
References: <48A4EC8D-77FB-41FB-8BF2-DAA9D17932FF@jpl.nasa.gov> <6227E599-7164-4F88-BE3C-671AC5F5208F@kth.se>
Sender: owner-heimdal-discuss@sics.se

On Sep 25, 2006, at 1:50 PM, Love Hörnquist Åstrand wrote:

>
> 25 sep 2006 kl. 09.13 skrev Henry B. Hotz:
>
>> First, should I expect that I can import a dump from 0.5nb into  
>> that snapshot?  It appears that I can't, but I haven't checked the  
>> dump format to ensure they're supposed to be compatible.

I know that some keys didn't import properly.  This is not a large  
DB.  What I actually did IIRC is initdb, dump, load/import old db, re- 
merge the initdb dump.  I wanted the infrastructure to be modern, but  
to preserve the old keys, what there were of them anyway.

>> Second, is kadmin -l dump --decrypt supposed to still work?  I get  
>> an encrypted database dump whether I use that option or not.   
>> Perhaps you're intending to do away with that option as a safety  
>> measure?  (I happen to like being able to dump a cross-realm key  
>> from one Heimdal and reload it into another.)
>
> I would assume you could (for both), I guess I need to generate  
> some dump-files and try for myself
> (and add to the regression suite).
>
> Love

Actually it's not completely encrypted or decrypted.  Out of 18  
entries, 10 are encrypted, but I get the same dump with or without  
the --decrypt flag though.  (diff says so.)  Which is which does not  
match up with what you'd expect from the above setup process.

I can't seem to find the stash file where kdc.conf says it should  
be.  One of the known, functioning keys looks encrypted which doesn't  
seem right.  I can't prove that the original encrypted dump was  
imported with the right master key available.  I think I'm looking at  
some second-order effects, since the inconsistencies seem too large,  
and that doesn't explain which keys are encrypted vice not.

If the (original) problem is a now-missing master key stash, then it  
seems that an error message should have shown up somewhere.
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

References:
- More Possible Issues with 20060826 snapshot
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: More Possible Issues with 20060826 snapshot
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: More Possible Issues with 20060826 snapshot
Next by Date: Business Security for Managers; Elysium Resort, Paphos; 14th-16th November 2006
Prev by thread: Re: More Possible Issues with 20060826 snapshot
Next by thread: KRB5CCNAME question
Index(es):
- Date
- Thread