When the ticket-granting service (TGS) principal only has a DES key, the key restricts the encryption type of the ticket-granting ticket (TGT) session key to DES. When the KDC is updated to a release that supports stronger encryption types, you must replace the DES key of the TGS principal so that the principal can generate stronger encryption for all session keys.
You can replace the key remotely or on the master server. You must be an admin principal who is assigned the changepw privilege.
To replace the TGS service principal key from any Kerberos system, use the kadmin command.
kdc1 % /usr/sbin/kadmin -p kws/admin Enter password: xxxxxxxx kadmin: cpw -randkey krbtgt/EXAMPLE.COM@EXAMPLE.COM Enter TGS key: xxxxxxxx Enter new TGS key:/** Type strong password **/ Re-enter TGS key to verify: xxxxxxxx
cpw is an alias for the change_password command. The –randkey option prompts you for the new password.
If you are logged on to the KDC master as root, you can use the kadmin.local command. You are prompted for the new database password.
kdc1 # kadmin.local -q 'cpw -randkey krbtgt/EXAMPLE.COM@EXAMPLE.COM'