System Administration Guide: Security Services

ProcedureHow to Refresh the Ticket Granting Service Keys on a Master Server

When the Ticket Granting Service (TGS) principal only has a DES key, which is the case for Solaris KDC servers created prior to the Solaris 10 release, the key restricts the encryption type of the Ticket Granting Ticket (TGT) session key to DES. If a Solaris KDC is updated to Solaris 10 which supports additional, stronger encryption types, the administrator may expect that stronger encryption will be used for all session keys generated by the KDC. However if the existing TGS principal does not have it's keys refreshed to include the new encryption types, then the TGT session key will be continue to be limited to DES. The following procedure refreshes the key so that additional encryption types may be used.

  1. Refresh the TGS service principal key.

    kdc1 % /usr/sbin/kadmin -p kws/admin
    Enter password: <Type kws/admin password>
    kadmin: cpw -randkey krbtgt/EXAMPLE.COM@EXAMPLE.COM

Example 23–1 Refreshing the Principal Keys from a Master Server

If you are logged on to the KDC master as root, you can refresh the TGS service principal with the following command:

kdc1 # kadmin.local -q 'cpw -randkey krbtgt/EXAMPLE.COM@EXAMPLE.COM'