>>>>> "Benjamin" == Benjamin Kaduk <ka...@mit.edu> writes:
Benjamin> I'm pretty sure that changing the master key encryption
Benjamin> type used for new databases has basically no upgrade
Benjamin> considerations and could be "just done". Updating the
Benjamin> encryption type for that key on existing databases will
Benjamin> have nontrivial upgrade considerations (and in fact will
Benjamin> not be possible to do automatically in a maintainer script
Benjamin> in all cases).
Agreed.
Benjamin> It is even possible that we might drop that configuration
Benjamin> stanza entirely rather than just changing the encryption
Benjamin> type, though we would want to more thoroughly research the
Benjamin> consequences of doing so before actually making that
Benjamin> change.
For new installations, I think that's fine. I think going back and
changing kdc.conf on existing installations would be fine so long as
they aren't old enough to use the pre-keytab stash file format.
As I recall that format didn't include enctype.
But I think that was a really long time ago.
I'll remove the master_key_type from kdc.conf in an upload soon.
I'll also add a news item recommending that people upgrade their master
key.
We can talk about how much automated upgrade is possible, but in the
case of kpropd, that's going to be hard.
