problem sending initial data to slave Kerberos server

Dave Steiner steiner at oit.rutgers.edu
Wed Jan 29 13:44:41 EST 2014 

[I posted this to the comp.protocols.kerberos newsgroup but don't see it in the 
mailing list archives.  Please forgive it this gets duplicated. -ds]

I'm havin problems adding a slave to an existing test cluster.  The output is 
slightly sanitized.  I've researched this and can't find out what I'm missing. 
  The keytabs have the correct kvnos.  trace and debug mode on the kpropd don't 
seem to show anything wrong.  What do I need to check that I'm missing?

master$ /usr/local/kerberos/sbin/kprop -r REALM -d -P 754 -f slave_datatrans 
slave.rutgers.edu <http://slave.rutgers.edu>
/usr/local/kerberos/sbin/kprop: Server rejected authentication (during sendauth 
exchange) while authenticating to server
/usr/local/kerberos/sbin/kprop: Decrypt integrity check failed signalled from 
server
Error text from server: Decrypt integrity check failed

master$ /usr/local/kerberos/bin/ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
    1    4                  host/master at REALM
    2    7  host/master.rutgers.edu at REALM


slave$ /usr/local/kerberos/bin/ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
    1    2                  host/slave at REALM
    2    2  host/slave.rutgers.edu at REALM


I need both of these entries due to the way out Unix support sets up the 
hostname.  The "resolve" test program doesn't find any issues.


master$ /usr/local/kerberos/sbin/kadmin.local -r REALM
Authenticating as principal krbadm/admin at REALM with password.
kadmin.local:  getprinc host/slave
Principal: host/slave at REALM
Expiration date: [never]
Last password change: Tue Jan 28 17:13:06 EST 2014
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Jan 28 17:13:06 EST 2014 (krbadm/admin at REALM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 2, des-cbc-crc, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default
kadmin.local:  getprinc host/slave.rutgers.edu <http://slave.rutgers.edu>
Principal: host/slave.rutgers.edu at REALM
Expiration date: [never]
Last password change: Tue Jan 28 17:13:06 EST 2014
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Jan 28 17:13:06 EST 2014 (krbadm/admin at REALM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 2, des-cbc-crc, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default
kadmin.local:  getprinc host/master
Principal: host/master at REALM
Expiration date: [never]
Last password change: Tue Jan 28 18:52:10 EST 2014
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Jan 28 18:52:10 EST 2014 (krbadm/admin at REALM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 4, des-cbc-crc, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default

kadmin.local:  getprinc host/master.rutgers.edu <http://master.rutgers.edu>
Principal: host/master.rutgers.edu at REALM
Expiration date: [never]
Last password change: Tue Jan 28 18:52:10 EST 2014
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Jan 28 18:52:10 EST 2014 (krbadm/admin at REALM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 7, des-cbc-crc, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default

kpropd running on the slave:

/usr/local/kerberos/sbin/kpropd -r REALM -f /u01/krb/data/REALM/from_master -F 
/u01/krb/data/REALM/principal -P 754 -S -d

debug output from kpropd:

Connection from master.rutgers.edu <http://master.rutgers.edu>
krb5_recvauth(6, kprop5_01, host/slave at REALM, ...)
Database load process for full propagation completed.
waiting for a kprop connection

trace output from kpropd:

[4318] 1390947375.656260: Convert service host (service with host as instance) 
on host (null) to principal
[4318] 1390947375.657065: Remote host after forward canonicalization: slave
[4318] 1390947375.657102: Remote host after reverse DNS processing: slave
[4318] 1390947375.657114: Get host realm for slave
[4318] 1390947375.657131: Use local host slave to get host realm
[4318] 1390947375.657140: Look up slave in the domain_realm map
[4318] 1390947375.657155: Got realm  for host slave
[4318] 1390947375.657201: Got service principal host/slave@
[4319] 1390947385.303114: Retrieving host/slave at REALM from FILE:/etc/krb5.keytab 
(vno 2, enctype des-cbc-crc) with result: 0/Success
[5029] 1390947902.449116: Retrieving host/slave at REALM from FILE:/etc/krb5.keytab 
(vno 2, enctype des-cbc-crc) with result: 0/Success
[5046] 1390947929.179913: Retrieving host/slave at REALM from FILE:/etc/krb5.keytab 
(vno 2, enctype des-cbc-crc) with result: 0/Success
[8676] 1390950188.191260: Retrieving host/slave at REALM from FILE:/etc/krb5.keytab 
(vno 2, enctype des-cbc-crc) with result: 0/Success
[8831] 1390950354.193759: Retrieving host/slave at REALM from FILE:/etc/krb5.keytab 
(vno 2, enctype des-cbc-crc) with result: 0/Success
[12984] 1390952933.79323: Retrieving host/slave at REALM from FILE:/etc/krb5.keytab 
(vno 2, enctype des-cbc-crc) with result: 0/Success
[13422] 1390953199.426489: Retrieving host/slave at REALM from 
FILE:/etc/krb5.keytab (vno 2, enctype des-cbc-crc) with result: 0/Success


Thanks for any help!
-ds

More information about the Kerberos mailing list