kprop trouble.

Nick Palmer nick at sluggardy.net
Mon Apr 12 17:10:05 EDT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John Hascall wrote:
| Show us the kdc.conf on your machines...

Sure.

On the master (elwing):
# cat /etc/krb5kdc/kdc.conf

[kdcdefaults]
~        kdc_ports = 88,750

[realms]
~        SLUGGARDY.NET = {
~                database_name = /etc/krb5kdc/principal
~                admin_keytab = /etc/krb5kdc/kadm5.keytab
~                acl_file = /etc/krb5kdc/kadm5.acl
~                dict_file = /etc/krb5kdc/kadm5.dict
~                key_stash_file = /etc/krb5.keytab
~                kadmind_port = 749
~                max_life = 12h 0m 0s
~                max_renewable_life = 7d 0h 0m 0s
~                master_key_type = des3-hmac-sha1
~                supported_enctypes = des3-hmac-sha1:normal
des-cbc-crc:normal
~        }

On the slave (mithrandir):
# cat /etc/krb5kdc/kdc.conf

[kdcdefaults]
~        kdc_ports = 88,750

[realms]
~        SLUGGARDY.NET = {
~        database_name = /etc/krb5kdc/principal
~        admin_keytab = /etc/krb5kdc/kadm5.keytab
~        acl_file = /etc/krb5kdc/kadm5.acl
~        dict_file = /etc/krb5kdc/kadm5.dict
~        key_stash_file = /etc/krb5.keytab
~        kadmind_port = 749
~        max_life = 12h 0m 0s
~        max_renewable_life = 7d 0h 0m 0s
~        master_key_type = des3-hmac-sha1
~        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
~        }

There are a couple of things that I have been kicking around in my head
that may be causing the trouble. Will kprop work properly if the slave
KDC is behind a NATing firewall? I can't think of a reason why it should
matter, but I thought I would check. I have the master KDC behind a non
NATing firewall, but the slave is in my home NATed network. Could this
be the problem? If I get a chance I may try moving the machine in front
of the firewall and see if that makes a difference.

Thanks for any help, I really appreciate it. I love what I have seen of
Kerberos so far and would really like to get it working properly.

- -Nick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAewWtWRxj7DCRpGURAig0AKCZ2iq30yG1er7WL/R1PlXOxxy45gCgoiLz
4blHoEWS4SCFAaUb7aZ8xu4=
=m5dr
-----END PGP SIGNATURE-----

More information about the Kerberos mailing list