Restoring Kerberos Master Key in OpenLdap
One of the classic architecture when using a Kerberos KDC and OpenLdap is to store the KDC database in OpenLdap backend.
You can find a procedure to do that on the MIT Kerberos documentation site
The advantage of storing your KDC in OpenLdap backend is to take advantage of the OpenLdap replication process that is easy to implement and is working fine.
The goal of this article is to show you a methode to restore the KDC Master Key when someone do a mistake.
The Master key in kerberos is the center of the security, this is the first step when creating your Kerberos database that you have to set.
This key is use for encryption of the users keys and used when starting the KDC.
If you lose this key or change it you should have to re-encrypt all the principal keys and if you uses keytabs, to redeploy all the keytabs, it could be a very taff job, you have a procedure for that on the MIT Kerberos
Well, you know one of the major risk of mistake on Kerberos is the commands used for writing a keytab, if you forgot the -norandkey option, you will increase the KVNO of the key for the principal, this will invalidate all the old version of the keytabs and key for this principal.
If one day someone forgot the -norandkey on the Master Key principal, you can have some very big problem, like error messages like “Decrypt integrity check failed while initializing kadmin.local interface or getting master key list” because the key version is no more the same that the stashfile and your kadmin and you kerberos service will not start anymore.
Here is a solution to restore your Master Key, because you are doing a daily backup of your OpenLdap, you can find in your ldif the Master Key distinguish name and its attributes.
So you just have to make ldif files to replace the new Master Key by the old one using the Manager of OpenLdap because of the Acls that are very strict on the Kerberos part of your OpenLdap.
krbPincipalKey.ldif
dn: krbPrincipalName=K/M@REALM,cn=REALM,cn=Kerberos,dc=example,dc=com changetype: modify replace: krbPrincipalKey krbPrincipalKey:: <OLD VALUE FROM YOUR BACKUP>
krbExtraData.ldif
dn: krbPrincipalName=K/M@REALM,cn=REALM,cn=Kerberos,dc=example,dc=com changetype: modify replace: krbExtraData krbExtraData:: <OLD VALUE FROM YOUR BACKUP> krbExtraData:: <OLD VALUE FROM YOUR BACKUP> krbExtraData:: <OLD VALUE FROM YOUR BACKUP>
In the ldif, the double colons (::) means that the value following is base64 encoded.
Then you just have to use ldapmodify to use your ldif files and prompted for Manager password
ldapmodify -D "cn=Manager,dc=example,dc=com" -H ldaps://<LDAPS HOST> -f krbPrincipalKey.ldif -W ldapmodify -D "cn=Manager,dc=example,dc=com" -H ldaps://<LDAPS HOST> -f krbExtraData.ldif -W
Once done you have restored your old Master Key with the right KVNO version and could start again the kadmin and kerberos services