Kerberos Slave Propagation

Illia Baidakov illia at newchem.ru
Tue Dec 23 05:15:24 EST 2003 

Hello!
<ms419 at freezone.co.uk> wrote in message
news:21CCFD05-351C-11D8-BAA9-000A95C71776 at freezone.co.uk...
> Hello. I am having trouble propagating my kerberos database to a slave
> KDC. Honestly, I don't know what I'm doing. I have, however, read
> absolutely every piece of documentation available. I am stuck.
>
> My master KDC and admin server are a Debian Linux machine running the
> MIT kerberos implementation. I installed these myself according to
> instructions. They work without problem. My slave KDC is a Mac OS 10.3,
> Panther, machine.
>
> DNS has been correctly configured for each machine.
>
> host wum.lat
> wum.lat has address 192.168.179.73
>
> host 192.168.179.73
> 73.179.168.192.in-addr.arpa domain name pointer wum.lat.
>
> host sil.fis.lat
> sil.fis.lat has address 192.168.179.43
>
> host 192.168.179.43
> 43.179.168.192.in-addr.arpa domain name pointer sil.fis.lat.
>
> /etc/krb5.conf on the Linux machine and
> /Library/Preferences/edu.mit.Kerberos on the Panther machine have been
> correctly configured.
>
> [libdefaults]
>          default_realm = LAT
>
> [realms]
>          LAT = {
>                  kdc = wum.lat
>                  kdc = sil.fis.lat
>                  admin_server = wum.lat
>          }
>
IMHO, you need to add the correct [domain_realm] section to krb5.conf file.
Try to add it on either or both master and slave servers.
An example:
[domain_realm]
    .fis.lat = LAT
    fis.lat = LAT

I've suffered such a problem. Doing that I've got a working propagation.
Usually your log files contain detailed description of actions you are
making.
Particularly, the full principal's names which your servers trying to
construct laying to your system configuration.

Check your krb5.keytab file on the slave server too.

> The principals host/wum.lat and host/sil.fis.lat have been added to the
> database. Using kadmin, I extracted the principal host/wum.lat on
> wum.lat and the principal host/sil.fis.lat on sil.fis.lat.
>
> On the Panther machine, I created /var/db/krb5kdc/kpropd.acl.
>
> host/wum.lat at LAT
> host/sil.fis.lat at LAT
>
> I also created /etc/xinetd.d/krb5_prop.
>
> service krb5_prop
> {
>          disable = no
>          socket_type     = stream
>          wait            = no
>          user            = root
>          server          = /usr/sbin/kpropd
>          groups          = yes
>          flags           = REUSE
> }
>
> Finally, I added krb5_prop 754/tcp to /etc/services.
>
> On the Linux machine, I ran kdb5_util dump
> /var/lib/krb5kdc/slave_datatrans. Running kprop sil.fis.lat, however,
> fails.
>
> kprop: Server rejected authentication (during sendauth exchange) while
> authenticating to server
> Generic remote error: Wrong principal in request
>
> I have rechecked every step. I followed the instructions exactly,
> except that I haven't setup klogind on Panther. klogind is not included
> with the kerberos distribution for Panther.
>
> What is the problem?
>
> Thanks,
>
> Jack
>

Best regards Illia Baidakov.

More information about the Kerberos mailing list