3.7 Setting the Master Key

If the master key of a realm in eDirectory is corrupted, you can use kdb5_ldap_util to reset it. Ensure that the master key is reset with the same master password and key type, which was provided while creating the realm. Otherwise, all the principals in the realm will be unusable.

If you change the master key of a realm, then the existing principals cannot access any Kerberos services in the network, because their secret keys were encrypted with the old master key. If you want to change the master key, you must delete and reset the keys for all the principals in the realm.

You can reset the master key as follows:

kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri]
           [-t trusted_cert]
setmasterkey [-k mkeytype] [-m|-P password] [-r realm]

For example:

kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu  setmasterkey -r ATHENA.MIT.EDU

Table 3-21 setmasterkey Parameters

Parameter

Description

-k

Specifies the key type of the master key for the realm. If not specified, the default value is used. The default value is DES3_HMAC_SHA1.

-m

Specifies that the master password should be read from the keyboard.

-P

Specifies the master password. We do not recommend that you use this.

-r

Specifies the Kerberos realm of the database. By default, the default_realm parameter of the configuration file (/etc/krb5.conf) is used.

iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select Kerberos Management > Set Master Key.

Refer to the iManager online help for more information.

NOTE:Enter the same master password that was provided during creation of the realm.