[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: More Possible Issues with 20060826 snapshot

On Sep 25, 2006, at 1:50 PM, Love Hörnquist Åstrand wrote:

> 25 sep 2006 kl. 09.13 skrev Henry B. Hotz:
>> First, should I expect that I can import a dump from 0.5nb into  
>> that snapshot?  It appears that I can't, but I haven't checked the  
>> dump format to ensure they're supposed to be compatible.

I know that some keys didn't import properly.  This is not a large  
DB.  What I actually did IIRC is initdb, dump, load/import old db, re- 
merge the initdb dump.  I wanted the infrastructure to be modern, but  
to preserve the old keys, what there were of them anyway.

>> Second, is kadmin -l dump --decrypt supposed to still work?  I get  
>> an encrypted database dump whether I use that option or not.   
>> Perhaps you're intending to do away with that option as a safety  
>> measure?  (I happen to like being able to dump a cross-realm key  
>> from one Heimdal and reload it into another.)
> I would assume you could (for both), I guess I need to generate  
> some dump-files and try for myself
> (and add to the regression suite).
> Love

Actually it's not completely encrypted or decrypted.  Out of 18  
entries, 10 are encrypted, but I get the same dump with or without  
the --decrypt flag though.  (diff says so.)  Which is which does not  
match up with what you'd expect from the above setup process.

I can't seem to find the stash file where kdc.conf says it should  
be.  One of the known, functioning keys looks encrypted which doesn't  
seem right.  I can't prove that the original encrypted dump was  
imported with the right master key available.  I think I'm looking at  
some second-order effects, since the inconsistencies seem too large,  
and that doesn't explain which keys are encrypted vice not.

If the (original) problem is a now-missing master key stash, then it  
seems that an error message should have shown up somewhere.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu