So, the underlying issue is that we're trying to set an empty master key - which doesn't really make sense anyway.
There are two solutions I can think of; either we can just skip calling kstash at all here, or we can generate a random key. The latter seems like a better idea, since it means we won't be setting an empty key by default (the priority for the heimdal-kdc/password question is medium). Does that seem reasonable? Jelmer
commit e5927d013dc5a156f9e24858ad8f5714ab9b5b60
Author: Jelmer Vernooij <jel...@samba.org>
Date: Sun Dec 1 13:53:40 2013 +0000
Set random master key if no explicit password was specified. Closes: #730011
diff --git a/debian/changelog b/debian/changelog
index 0d4e176..9b0f851 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,8 @@ heimdal (1.6~git20131117+dfsg-3) UNRELEASED; urgency=low
to prevent conflicts with libkrb5-multidev. Closes: #730267
* Rename login.1 to login.heimdal.1 to support installing together
with login. Closes: #729946
+ * Set random master key if no explicit password was specified. Closes:
+ #730011
-- Jelmer Vernooij <jel...@debian.org> Sun, 24 Nov 2013 14:59:33 +0000
diff --git a/debian/heimdal-kdc.postinst b/debian/heimdal-kdc.postinst
index 5e66361..335da42 100644
--- a/debian/heimdal-kdc.postinst
+++ b/debian/heimdal-kdc.postinst
@@ -70,9 +70,13 @@ then
DST=/etc/heimdal-kdc/kadmind.acl
cp -a /usr/share/heimdal-kdc/kadmind.acl "$DST"
- kstash --master-key-fd=0 <<EOF
+ if [ -z "$PASSWORD" ]; then
+ kstash --random-key
+ else
+ kstash --master-key-fd=0 <<EOF
$PASSWORD
EOF
+ fi
kadmin -l init --realm-max-ticket-life=unlimited --realm-max-renewable-life=unlimited "$REALM"
signature.asc
Description: Digital signature
