Novell Documentation: Novell Kerberos KDC

Setting the Master Key

If the master key of a realm in eDirectory is corrupted, you can reset it using kdb5_util. Ensure that the master key is reset with the same master password and key type, which was provided while creating the realm. Else, all the principals in the realm will be unusable.

If you change the master key of a realm, then the existing principals will not be able to access any Kerberos services in the network, as their secret keys were encrypted with the old master key. If you want to reset the master key, you have to delete and reset the keys for all the principals in the realm.

You can reset the master key as follows:

kdb5_util [-D user_dn [-w passwd]] [-h ldap_server] 
          [-p ldap_port] [-t trusted_cert] 
 
	setmasterkey [-k mkeytype] [-m|-P password] [-r realm]

For example:

kdb5_util -D cn=admin,o=org -h ldap-server1.mit.edu -p 636 setmasterkey -r ATHENA.MIT.EDU

Table 36. setmasterkey Parameter Description

Parameter	Description
-D	Distinguished name of the user who has sufficient rights to authenticate to the LDAP server.
-w	Specifies the userdn password. We do not recommend you to use this.
-h	Host name or IP Address of the server hosting LDAP service for a Kerberos realm.
-p	SSL port number of the LDAP server.
-t	Specifies the filename that contains Trusted Root Certificate of the LDAP server.
-k	Specifies the key type of the master key for the realm; If not specified, the default value is used. The default value is DES3_HMAC_SHA1.
-m	Specifies that the master password should be read from the keyboard.
-P	Specifies the master password. We do not recommend you to use this.
-r	Specifies the Kerberos realm of the database; by default the default_realm parameter of configuration file (/etc/krb5.conf) is used.