From 4ccc18bc3ddc49d0fd0d2de00ec91c0fa44c53a8 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 23 Oct 2013 11:55:19 -0400 Subject: Use active master key in update_princ_encryption kdb5_util update_princ_encryption should update to the active master key version, not the most recent. ticket: 6507 target_version: 1.12 tags: pullup --- doc/admin/admin_commands/kdb5_util.rst | 4 ++-- src/kadmin/dbutil/kdb5_mkey.c | 15 +++++---------- 2 files changed, 7 insertions(+), 12 deletions(-) diff --git a/doc/admin/admin_commands/kdb5_util.rst b/doc/admin/admin_commands/kdb5_util.rst index 2d7636ef15..f9fcd0afe8 100644 --- a/doc/admin/admin_commands/kdb5_util.rst +++ b/doc/admin/admin_commands/kdb5_util.rst @@ -324,8 +324,8 @@ update_princ_encryption Update all principal records (or only those matching the *princ-pattern* glob pattern) to re-encrypt the key data using the -active database master key, if they are encrypted using older -versions, and give a count at the end of the number of principals +active database master key, if they are encrypted using a different +version, and give a count at the end of the number of principals updated. If the **-f** option is not given, ask for confirmation before starting to make changes. The **-v** option causes each principal processed to be listed, with an indication as to whether it diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c index 18cfb1c167..87a1dc3193 100644 --- a/src/kadmin/dbutil/kdb5_mkey.c +++ b/src/kadmin/dbutil/kdb5_mkey.c @@ -933,7 +933,7 @@ kdb5_update_princ_encryption(int argc, char *argv[]) char *msg; #endif char *regexp = NULL; - krb5_keyblock *tmp_keyblock = NULL; + krb5_keyblock *act_mkey; krb5_keylist_node *master_keylist = krb5_db_mkey_list_alias(util_context); while ((optchar = getopt(argc, argv, "fnv")) != -1) { @@ -1018,19 +1018,14 @@ kdb5_update_princ_encryption(int argc, char *argv[]) goto cleanup; } - /* Master key is always stored encrypted in the latest version of - itself. */ - new_mkvno = krb5_db_get_key_data_kvno(util_context, - master_entry->n_key_data, - master_entry->key_data); - - retval = krb5_dbe_find_mkey(util_context, master_entry, &tmp_keyblock); + retval = krb5_dbe_find_act_mkey(util_context, actkvno_list, &new_mkvno, + &act_mkey); if (retval) { - com_err(progname, retval, _("retrieving the most recent master key")); + com_err(progname, retval, _("while looking up active master key")); exit_status++; goto cleanup; } - new_master_keyblock = *tmp_keyblock; + new_master_keyblock = *act_mkey; if (!force && !data.dry_run && -- cgit