f



krb5kdc: Cannot find master key record in database - while fetching master keys list for realm

Hi

I have a Kerberos server that has been running for months with out any
problems. 

Today when I went to log into my kdc machine I had the following error
in my logs:

May 09 10:47:52 svgauth1 krb5kdc[2451](Error): TGS_REQ: UNKNOWN SERVER:
server='krbtgt/VC.LS.CBN@LS.CBN'
May 09 10:47:52 svgauth1 krb5kdc[2451](info): TGS_REQ (4 etypes {18 17
16 23}) 172.20.133.141: PROCESS_TGS: authtime 0,  <unknown client> for
<unknown server>, Server not found in Kerberos database

I am using the ldap backend and I checked in LDAP and everything looked
ok so I attempted to restart my kdc.

My kdc failed to restart with: krb5kdc: Cannot find master key record in
database - while fetching master keys list for realm VC.LS.CBN

I have the K/M@VC.LS.CBN principal in the ldap directory and it looks ok.

Any ideas as to where my problem may be?  Can this entry be corrupted
some how and not load?

I am running the following versions:

krb5-1.8.3-45.1
krb5-plugin-kdb-ldap-1.8.3-45.1
krb5-client-1.8.3-45.1
krb5-32bit-1.8.3-45.1
pam-krb5-4.4-1
krb5-server-1.8.3-45.1

Thanks for any insight.

Tom Parker
0
tparker1 (29)
5/9/2012 7:18:31 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
4060 Views

Similar Articles

[PageSpeed] 24

Reply:

Similar Artilces:

Changing master key (Kerberos authentication server+LDAP database)
Is it possible to change the master key of a realm when LDAP is used as the database server? The stash file is not present since LDAP is used. Appreciate any help on this. Thanks, Anubha ...

realm creation - scripting
Hello, I'm new to this mailinglist. I'm writting an automated script to setup kerberos with ldap backend. When I come to the point to setup my kerberos realm I'm prompted to enter kdc master key: --- kdb5_ldap_util -D cn=admin,dc=mydomain,dc=org -w mypassword create -r MYDOMAIN.ORG -s Initializing database for realm 'MYDOMAIN.ORG' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: --- I don't want to be prompted for a password. How can I pass the kdc master password to kdb5_ldap_util within my script? Thank you in advance! ...

Forgot Kerberos Master Key
Dear Team, I forgot kerberos master key but i have key stash file. How can I get the clear text password from the stash file. Regards, Bharathikannan R ...

Changing the database master key
Hello all, My understanding from previous discussions was that it was not possible to change the database master key for an MIT Kerberos KDC due to various bits that are encrypted in the master key. However, I noticed that the kdb5_util man page seems to indicate that it can under dump: -mkey_convert prompts for a new master key. This new master key will be used to re-encrypt the key data in the dumpfile. The key data in the database will not be changed. -new_mkey_file mkey_file the filename of a stash file. The master key in this stash file will be used to re-encrypt the key data in the dumpfile. The key data in the database will not be changed. Those options make it sound like I could use a technique like: 1. Create a new KDC database in a new location with an AES master key. 2. Dump the old database using -new_mkey_file pointing at the new stash. 3. Load the database dump into the new empty database. and thereby change the database master key. Is that correct? Does this fail for some reason? Has anyone done this? -- Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/> >My understanding from previous discussions was that it was not possible to >change the database master key for an MIT Kerberos KDC due to various bits >that are encrypted in the master key. However, I noticed that the >kdb5_util man page seems to indic...

When is a key not a key?
Hi, I hesitate to write because some of my code here is pretty evil, but this problem is weirding me out a bit. I have a hash (loan_shark) indexed by instances of a particular struct (Player). The hash seems to be failing to find its keys when I try to look them up. Like this: loan_shark.size #=> 4 loan_shark.has_key?(loan_shark.keys[0]) #=> false Any ideas? The background is something like this: Player = Struct.new(:name, :bankroll, :hands) .... loan_shark = {} .... newb = Player.new("Fred", some_dollars) .... loan_shark[newb] = some_dollars .... ...

Duplicate subforms content and key link to another master table key
Hi, Here is the following scenario. I do have a master table with related subforms from wich I need to create a revision. But I need to duplicate the content of the subforms and link them to the new entry in the master table. Each string possess its unique identifier number. So in this case I have a master table with the following structure (simplified) DesiID = Design Unique Identifier Pnum = Project number PPro = Prototype Number PRev = Revision Number FieldN = other fields And subforms attached to the master table by the Unique identifier PartID = Part Unique Identifier DesiID = Link...

selecting master key enctype for a new database
I need to create a new realm, and I'm wondering if anyone has a recommendation about which enctype to use for the master key. The kdb5_util program seems to still default to des-cbc-crc when creating a database (I'm running MIT Kerberos 1.4.1), and I'm not sure if there's a good reason for this. I'd like to use one of the new, stronger enctypes like aes256, but I'm not sure what the pros and cons are. I suppose that all of the slave KDCs would have to be upgraded to a version of Kerberos that supports whatever master key enctype I choose, but I don't anticipate a problem there. Are there client issues? Cross-realm trust issues? Something else? I don't plan to run anything but MIT Kerberos for a KDC, but if anyone knows of any gotchas with specific enctypes/vendors, that might be useful information. Thanks. -- Phil Tracy ptracy@northwestern.edu Information Systems Architecture Northwestern University Information Technology ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

kadmin.local: Cannot find/read stored master key
Hello, I've got problems setting up Krb5 on my Crux Linux host. I did all nessessary things and always get stuck at the point trying to create the keytab file with kadmin.local. The program says: Authenticating as principal root/admin@TESTSERVER.FREEBIS.DE with password. kadmin.local: Cannot find/read stored master key while initializing kadmin.local interface Here is my /etc/krb5.conf: ----------------------------------------------------------------------- [libdefaults] default_realm = TESTSERVER.FREEBIS.DE dns_lookup_realm = false dns_lookup_kdc = false [real...

Kerberos master/master sync using OpenLDAP N-Way Multi-Master
I haven=B9t seen this idea posted anywhere. The new version of OpenLDAP (I=B9m using 2.4.15) has the ability to run in a multi-master mode. I was able to set up two servers that each ran a Kerberos instance as well as an OpenLDAP instance that had ldap and kerberos failover. I now don=B9t need to worry about doing any sync with Kerberos, as LDAP does it all. I can also run kadmin against either of the kerberos servers. Some tests I did that were pretty successful were: Realm setup: kdc =3D kdc01.security.lab.comcast.net:88 kdc =3D kdc02.security.lab.comcast.net:88 Turn off kdc on kdc01 -> successfully authenticated with kdc02 Turn on kdc but turn off ldap on kdc01 -> successfully authenticated with kdc02 The failover works exactly as a expected. --=20 MAT ...

Starting KDC daemon on Redhat9 fails not finding master key
Hi, I followed the directions in Brian Tung's article on Kerberos for Dummies to set up a KDC on a Redhat9 Linux system. Upon trying to start the daemon, I get a failure, with the log indicating that the master key can't be located. Where is the master key stored and what configuration file/parameter indicates this? I assume, per the directions, that I can kick off the KDC daemon before the Kadmin one, as the article seems to say. Thanks for any help. PL -- Keep it brief: http://www2.paypc.com/mailrules/ ...

[rfc-dist] RFC 5295 on Specification for the Derivation of Root Keys from an Extended Master Session Key (EMSK)
A new Request for Comments is now available in online RFC libraries. RFC 5295 Title: Specification for the Derivation of Root Keys from an Extended Master Session Key (EMSK) Author: J. Salowey, L. Dondeti, V. Narayanan, M. Nakhjiri Status: Standards Track Date: August 2008 Mailbox: jsalowey@cisco.com, ldondeti@qualcomm.com, vidyan@qualcomm.com, madjid.nakhjiri@motorola.com Pages: 21 Characters: 45622 Updates/Obsoletes/SeeAlso: None I-D Tag: draft-ietf-hokey-emsk-hierarchy-07.txt URL: http://www.rfc-editor.org/rfc/rfc5295.txt The Extensible Authentication Protocol (EAP) defined the Extended Master Session Key (EMSK) generation, but reserved it for unspecified future uses. This memo reserves the EMSK for the sole purpose of deriving root keys. Root keys are master keys that can be used for multiple purposes, identified by usage definitions. This document also specifies a mechanism for avoiding conflicts between root keys by deriving them in a manner that guarantees cryptographic separation. Finally, this document also defines one such root key usage: Domain-Specific Root Keys are root keys made available to and used within specific key management domains. [STANDARDS TRACK] T...

kadmin and other errors: "Master key does not match database while initializing ..."
My Kadmin daemon will no longer start. It gives me: [root@kdc3 root]# /etc/init.d/kadmin start Starting Kerberos 5 Admin Server: kadmind: Master key does not match database while initializing, aborting I get a similar error when I do "krb5_util dump file.dump". From the Kerberos FAQ it sounds like a problem with my kerberos database but I didn't find any references on how to fix it. Can someone point me in the right direction? This is Fedora Core 1. Let me know what other relevant information might provide useful. Thanks Austin ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos >>>>> "godber" == Austin Godber <godber@mars.asu.edu> writes: godber> My Kadmin daemon will no longer start. It gives me: godber> [root@kdc3 root]# /etc/init.d/kadmin start godber> Starting Kerberos 5 Admin Server: kadmind: Master key does not match godber> database while initializing, aborting godber> I get a similar error when I do "krb5_util dump file.dump". godber> From the Kerberos FAQ it sounds like a problem with my kerberos godber> database but I didn't find any references on how to fix it. Can godber> someone point me in the right direction? godber> This is Fedora Core 1. Let me know what other relevant information godber> might provide useful. This is not really enough information to f...

how to find out key size from public key?
If I have a public key, how can find out the key size, e.g. 1024, 2048, etc? TIA ...

The Microsoft Jet database engine cannot find a record in the table"with key matching field(s)"
Please can you help me with this problem: In the next form, when I Add new person who is not registered in the base I had the massage: The Microsoft Jet database engine cannot find a record in the table 'CLAN' with key matching field(s) JMBG. The question is: How to add data for the unregistered visitors in the next fields: JMBG (unique person number);(translation) STATUS; IME (name); PREZIME (surname); GRAD (town); UPLACENO (payment) NAPOMENA (comment) If you want I can send mdb.zip. Thank you very much. ...

TSA Master Keys
https://www.schneier.com/blog/archives/2015/09/tsa_master_keys.html Quoting from the URL above: Someone recently noticed a Washington Post story on the TSA that originally contained a detailed photograph of all the TSA master keys. It's now blurred out of the Washington Post story, but the image is still floating around the Internet. The whole thing neatly illustrates one of the main problems with backdoors, whether in cryptographic systems or physical systems: they're fragile. ... ...

Problem with master key
Hello, I made a mistake. I exported the K/M key with ktadd :(... the password had changed. I could not use kadmin.local I changed the password of K/M with the old value with cpw. I can use kadmin.local :) without password, but if I try to change a passwd for a principal, I get this message : change_password: No matching key in entry while changing password for All works fine with a administrator account. Help me :( ...

Changing the master key
--Apple-Mail-1--884096611 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii =09 We've run into a situation with MIT Kerberos 1.8.2 where the master key = has been changed and yet the slave kdc's are still reporting that the = original master key is being used on new principals. Slave kdc updates are happening via iprop. The master kdc is behaving as expected, and all new principals report = using the new mkey vno. On the master and all slave kdc's, "kdb5_util -list_mkeys" shows that = the new mkey vno is active master key.=20 I have no idea what steps were used to change the master key (not my = infra) and I'm wondering if this situation can be fixed. I've searched for a "Dummies Guide to Changing your MKey" but I've only = found bits and pieces here and there with no real indication of how = slaves enter into the picture. Should they be recreated from scratch = once the master is changed? Any pointers or help appreciated! jd --Apple-Mail-1--884096611-- ...

Testing master key?
Remind me again how to test my master key? I can't find that I documented it anywhere in my safe, so now it's time to start guessing and hope for a hit :/ ...

What are the differences between the terms, CANDIDATE KEY, PRIMARY KEY, SUPER KEY, COMPOSITE KEY?
Hi, Can anybody tell me the differences between the above mentioned terms? Also please tell me if one can be the other and vice versa..please elaborate with the helpof a table if possible. Also please tellme if the below statement by me is correct.. a) Any attribute or a collection of attributes which uniquely identifies the tuples in a relation is called a canditate key.this candidate key thus can contain a single attribute or a collection of attributes. b) one of the attributes is chosen by the DBMS to identify the tuples uniquely and this attribute is called the primary key. c) A primarykey is a candidate key.all candidate keys cannot be a primary key. Now,,,what is the superkey? >> A primarykey is a candidate key.all candidate keys cannot be a primary >> key. Now,,,what is the superkey? http://groups.google.com/group/comp.databases.ms-sqlserver/msg/b156494b68634ee7 -- Anith A superkey is a set of attributes which uniquely identifies a tuple in a relation. A candidate key is an irreducible set of attributes which uniquely identifies a tuple in a relation. A composite key is a candidate key that has more than one attribute. The primary key is a candidate key. Any candidate key can be the primary key, but usually the candidate key that participates in referential constraints is designated as the primary key. (a) is imprecise. A collection is different from a set: it's a multiset. Also, a candidate key...

How do I find the virtual key code for a certain key?
Hi everybody, On the internet, I've found several lists of virtual key codes for use in WM_KEYDOWN and WM_KEYUP, but not all of them. How can I find out the (virtual) key code for a certain key? Is there a complete list? The keys I'm specifically looking for are � and �. Thanks in advance, Ikke Ikke wrote: > On the internet, I've found several lists of virtual key codes for use in > WM_KEYDOWN and WM_KEYUP, but not all of them. > > How can I find out the (virtual) key code for a certain key? Is there a > complete list? You're in a wrong newsgroup, Ikk...

master-master replication
Hi, I have following queries related to postgresql 1. Does version 7.4.1 supports master-master replication? If not, does it support master-slave replication where slave can become the master once master is down? When the master comes up again, can it can be configured to slave mode? 2. If the master-master replication is available, is it free of cost? Is it being supported on SCO Unixware version 7.1.1 ? If its not free, where can I find the product cost? If master-master replication is not available, is master-slave replication free of cost? 3. Where can I find the documents talking ab...

how do i select only master records where master is not present in join table
hi- i want to find master records where that master doesn't have a presence in the join table. for example, if i were doing a restaurant review web site, and i have users, reviews, and restaurants. i want to find all restaurants for which a specific user has NOT written a review. i tried this: select distinct restaurants.id from restaurants left join reviews on restaurants.id = reviews.restaurant_id where (reviews.user_id <> 5 or review_users is NULL) but this doesn't work because it finds restaurants where user 5 AND someone else have reviewed and only elim...

Unknown primary keys and foreign keys ina database
I would like to connect to a database and determine, on the fly, what columns are the foreign and primary keys for each table.&nbsp; Is there any way to do this using the LabView Database connectivity toolkit or a SQL query? Thank you! Brad Found it, thanks!&nbsp; For future reference (for anyone who might search for this topic) Go to: Tools -&gt; Options -&gt; View and check "system" and "hidden" objects to explore the structure of these tables.&nbsp; It's not recommended to edit them directly for obvious reasons, but will at least give an idea...

Kerberos Master Password for database
How can you verify that you have the correct password for a database that is already created? On 2006-11-18 00:45:15 +0100, "melanotus@gmail.com" <melanotus@gmail.com> said: > How can you verify that you have the correct password for a database > that is already created? Without a correct password Kerberos does not work, so if your KDCs are up and running you have the correct db password. If you remove (rename) the stash and recreate it, you may verify that your memory is good. Otherwise you remember an incorrect password. (Provided that I understand how Kerberos works... I may be wrong.) -- Sensei <senseiwa@Apple's mail> Research (n.): a discovery already published by a chinese guy one month before you, copying a russian who did it in the 60s. ...

Web resources about - krb5kdc: Cannot find master key record in database - while fetching master keys list for realm - comp.protocols.kerberos

Resources last updated: 3/10/2016 1:27:57 PM