diff options
| author | Greg Hudson <ghudson@mit.edu> | 2013-10-23 11:55:19 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2013-10-25 11:36:11 -0400 |
| commit | 4ccc18bc3ddc49d0fd0d2de00ec91c0fa44c53a8 (patch) | |
| tree | b5b184695615332f50d2ad29ef7e62f8c58cd4f8 | |
| parent | 7fee58ccadf1b61eec9a8c62f47dac43986e2ad1 (diff) | |
| download | krb5-4ccc18bc3ddc49d0fd0d2de00ec91c0fa44c53a8.tar.gz krb5-4ccc18bc3ddc49d0fd0d2de00ec91c0fa44c53a8.tar.xz krb5-4ccc18bc3ddc49d0fd0d2de00ec91c0fa44c53a8.zip | |
Use active master key in update_princ_encryption
kdb5_util update_princ_encryption should update to the active master
key version, not the most recent.
ticket: 6507
target_version: 1.12
tags: pullup
| -rw-r--r-- | doc/admin/admin_commands/kdb5_util.rst | 4 | ||||
| -rw-r--r-- | src/kadmin/dbutil/kdb5_mkey.c | 15 |
2 files changed, 7 insertions, 12 deletions
diff --git a/doc/admin/admin_commands/kdb5_util.rst b/doc/admin/admin_commands/kdb5_util.rst index 2d7636ef15..f9fcd0afe8 100644 --- a/doc/admin/admin_commands/kdb5_util.rst +++ b/doc/admin/admin_commands/kdb5_util.rst @@ -324,8 +324,8 @@ update_princ_encryption Update all principal records (or only those matching the *princ-pattern* glob pattern) to re-encrypt the key data using the -active database master key, if they are encrypted using older -versions, and give a count at the end of the number of principals +active database master key, if they are encrypted using a different +version, and give a count at the end of the number of principals updated. If the **-f** option is not given, ask for confirmation before starting to make changes. The **-v** option causes each principal processed to be listed, with an indication as to whether it diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c index 18cfb1c167..87a1dc3193 100644 --- a/src/kadmin/dbutil/kdb5_mkey.c +++ b/src/kadmin/dbutil/kdb5_mkey.c @@ -933,7 +933,7 @@ kdb5_update_princ_encryption(int argc, char *argv[]) char *msg; #endif char *regexp = NULL; - krb5_keyblock *tmp_keyblock = NULL; + krb5_keyblock *act_mkey; krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context); while ((optchar = getopt(argc, argv, "fnv")) != -1) { @@ -1018,19 +1018,14 @@ kdb5_update_princ_encryption(int argc, char *argv[]) goto cleanup; } - /* Master key is always stored encrypted in the latest version of - itself. */ - new_mkvno = krb5_db_get_key_data_kvno(util_context, - master_entry->n_key_data, - master_entry->key_data); - - retval = krb5_dbe_find_mkey(util_context, master_entry, &tmp_keyblock); + retval = krb5_dbe_find_act_mkey(util_context, actkvno_list, &new_mkvno, + &act_mkey); if (retval) { - com_err(progname, retval, _("retrieving the most recent master key")); + com_err(progname, retval, _("while looking up active master key")); exit_status++; goto cleanup; } - new_master_keyblock = *tmp_keyblock; + new_master_keyblock = *act_mkey; if (!force && !data.dry_run && |