kprop: Key table entry not found while getting initial ticket
Jud Bishop
judson.bishop at eamc.org
Fri Jan 30 18:46:48 EST 2004
I try to take good notes so that I can reproduce my problems and
successes. This week is the first time I have ever touched kerberos. I
am using Red Hat ES3 and the default rpms.
The short of it:
kdb5_util dump /var/kerberos/krb5kdc/dump
kprop -f /var/kerberos/krb5kdc/dump mail.eamc.net
kprop: Key table entry not found while getting initial ticket
Now what?
My guess is that I am not asking for the correct ticket for kpropd. A
normal inetd.conf entry would be:
krb5_prop stream tcp nowait root /usr/kerberos/sbin/kpropd kpropd
My thinking is that the second kpropd is my principal. However, my
xinetd entry does not. I have tried it both ways so am sending
everything I have to the list.
I have also changed my logging from the basic stuff in RH to:
kdc = SYSLOG:INFO:LOCAL1
admin_server = SYSLOG:INFO:LOCAL2
hoping I would get more debug information, but no dice.
I have googled, read the docs in /usr/share/doc/krb5-server/ and done
this twice. I am very frustrated and would appreciate any help.
# cat /etc/xinetd.d/krb5_prop
# 2004-01-27 Jud Bishop
# description: kpropd is the propagation daemon for Kerberos
service krb5_prop
{
flags = KEEPALIVE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/kpropd
# server = /usr/kerberos/sbin/kpropd kpropd
# server_args = kpropd
enable = yes
}
How I got here:
Make sure you have NTP running and the times are close.
Make sure your /etc/hosts files are correct.
On the master:
cat /etc/hosts
127.0.0.1 localhost.localdomain localhost blues kerberos
172.16.1.56 blues.eamc.net kerberos.eamc.net kerberos
On the slave:
cat /etc/hosts
127.0.0.1 localhost.localdomain localhost mail kerberos-1
172.16.1.55 mail.eamc.net kerberos-1.eamc.net mail
kerberos-1
Make sure your DNS entries are correct, both forward and reverse:
eamc.net. A 172.16.1.110
www CNAME eamc.net.
mail A 172.16.1.55
blues A 172.16.1.56
webmail CNAME blues
; Kerberos Stuff
kerberos CNAME blues
kerberos-1 CNAME mail
;ldap CNAME blues
;ldap-1
; Kerberos master setup
_kerberos TXT "EAMC.NET"
_kerberos-master._udp SRV 0 0 88 kerberos
_kerberos-adm._tcp SRV 0 0 749 kerberos
_kpasswd._udp SRV 0 0 464 Kerberos
; Round-robin setup
_kerberos._udp SRV 0 0 88 kerberos
_kerberos._udp SRV 0 0 750 kerberos
; SRV 0 0 88 kerberos-1
; SRV 0 0 88 kerberos-2
_ldap._tcp.eamc.net SRV 0 0 389 ldap
; SRV 0 0 389 ldap-1
Edit edit the files listed below and change everything from
EXAMPLE.COM/example.com to your domain name, make sure to preserve the
CAPS/small case as this matters.
/etc/krb5.conf
/etc/krb.conf
/etc/krb.realms
/var/kerberos/krb5kdc/kdc.conf
/var/kerberos/krb5kdc/kadm5.acl
Now it's time to create the new realm.
master# kdb5_util create -r EAMC.NET -s
Initializing database '/var/kerberos/krb5kdc/principal' for realm
'EAMC.NET',
master key name 'K/M at EAMC.NET'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
master# kadmin.local
Authenticating as principal root/admin at EAMC.NET with password.
kadmin.local: listprincs
K/M at EAMC.NET
kadmin/admin at EAMC.NET
kadmin/changepw at EAMC.NET
kadmin/history at EAMC.NET
krbtgt/EAMC.NET at EAMC.NET
Creates:
principal
principal.kadm5
principal.kadm5.lock
principal.ok
mater# kadmin.local
Authenticating as principal root/admin at EAMC.NET with password.
kadmin.local: addprinc root/admin at EAMC.NET
kadmin.local: addprinc misjlb/admin at EAMC.NET
kadmin.local: addprinc admin/admin at EAMC.NET
Grant access to the administrative control list for our new users,
misjlb and root.
master# cat /var/kerberos/krb5kdc/kadm5.acl
root/admin at EAMC.NET *
misjlb/admin at EAMC.NET *
Restart kadmind to make the changes take effect.
master# /etc/init.d/kadmin restart
Stopping Kerberos 5 Admin Server: [ OK ]
Starting Kerberos 5 Admin Server: [ OK ]
kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin
kadmin/changepw
Entry for principal kadmin/admin with kvno 5, encryption type Triple DES
cbc mode with HMAC/sha1 added to keytab
WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 5, encryption type DES cbc
mode with CRC-32 added to keytab
WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 5, encryption type Triple
DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 5, encryption type DES cbc
mode with CRC-32 added to keytab
WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
kadmin.local:
master# kadmin
Authenticating as principal misjlb/admin at EAMC.NET with password.
Enter password:
kadmin:
Now let's add a day to day user.
kadmin.local: addprinc misjlb/@EAMC.NET
Enter password for principal "misjlb at EAMC.NET":
Re-enter password for principal "misjlb at EAMC.NET":
Principal "misjlb at EAMC.NET" created.
Slave propogation..
Install Kerberos on the slave boxes. On both the master and slave add
the slave kdc to the [realms] stanza in /etc/krb5.conf
[realms]
EAMC.NET = {
kdc = blues.eamc.net:88
kdc = mail.eamc.net:88
admin_server = blues.eamc.net:749
default_domain = eamc.net
}
And add the slave to /etc/krb.conf
EAMC.NET
EAMC.NET blues.eamc.net:88
EAMC.NET mail.eamc.net:88
EAMC.NET blues.eamc.net:749 admin server
slave# kadmin
Authenticating as principal root/admin at EAMC.NET with password.
kadmin: Cannot contact any KDC for requested realm while initializing
kadmin interface
OK. Let's just try to get a ticket...
slave# kinit root/admin at EAMC.NET
kinit(v5): Cannot contact any KDC for requested realm while getting
initial credentials
Looks like we hav firewall problems...
Let's run this wide open while we test, then we'll add the following
ports and test again to make sure it works through the firewall.
Ports to open in the future:
88 tcp/udp authentication
389
464
749 tcp/udp slave propagation
750
754 slave propagation
2105 eklogin
master# /etc/init.d/iptables stop
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
slave# /etc/init.d/krb5kdc status
krb5kdc is stopped
slave# /etc/init.d/kadmin status
kadmind is stopped
slave# kinit
kinit(v5): Client not found in Kerberos database while getting initial
credentials
I'll bet we need to add our pricipal data since our host is not yet in
the database:
slave# kinit root/admin at EAMC.NET
Password for root/admin at EAMC.NET:
slave#
We got a ticket.
slave# kadmin
Authenticating as principal root/admin at EAMC.NET with password.
Enter password:
kadmin:
We are in!
Now continuing the on the slave...
kadmin: listprincs
K/M at EAMC.NET
admin/admin at EAMC.NET
kadmin/admin at EAMC.NET
kadmin/changepw at EAMC.NET
kadmin/history at EAMC.NET
krbtgt/EAMC.NET at EAMC.NET
misjlb/admin at EAMC.NET
misjlb at EAMC.NET
root/admin at EAMC.NET
kadmin: addprinc -randkey host/mail.eamc.net
WARNING: no policy specified for host/mail.eamc.net at EAMC.NET; defaulting
to no policy
Principal "host/mail.eamc.net at EAMC.NET" created.
kadmin: ktadd host/mail.eamc.net
Entry for principal host/mail.eamc.net with kvno 3, encryption type
Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/etc/krb5.keytab.
Entry for principal host/mail.eamc.net with kvno 3, encryption type DES
cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
kadmin: listprincs
K/M at EAMC.NET
admin/admin at EAMC.NET
host/mail.eamc.net at EAMC.NET
kadmin/admin at EAMC.NET
kadmin/changepw at EAMC.NET
kadmin/history at EAMC.NET
krbtgt/EAMC.NET at EAMC.NET
misjlb/admin at EAMC.NET
misjlb at EAMC.NET
root/admin at EAMC.NET
kadmin:
And on the master.
addprinc -randkey host/blues.eamc.net
WARNING: no policy specified for host/blues.eamc.net at EAMC.NET;
defaulting to no policy
Principal "host/blues.eamc.net at EAMC.NET" created.
kadmin: ktadd host/mail.eamc.net
Entry for principal host/mail.eamc.net with kvno 4, encryption type
Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/etc/krb5.keytab.
Entry for principal host/mail.eamc.net with kvno 4, encryption type DES
cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
kadmin:
Now create the file /var/kerberos/krb5kdc/kpropd.acl that allows
connection from the master to the slaves.
#cat /var/kerberos/krb5kdc/kpropd.acl
host/blues.eamc.net at EAMC.NET
host/mail.eamc.net at EAMC.NET
On both master and slave set up /etc/xinetd.d/krb5_prop and restart.
# /etc/init.d/xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
#
master# kdb5_util dump /var/kerberos/krb5kdc/dump
master# kprop -f /var/kerberos/krb5kdc/dump mail.eamc.net
kprop: Key table entry not found while getting initial ticket
Now what?
THE FOLLOWING IS FOR REPLICATION AND WAS MY FIRST TRY
THIS IS FOR DNS BASED AND DID NOT WORK
Prepare for slave KDCs.
We are going to set these up according to install guide because they
allow us
to easily switch the master and slave servers. Maintenance can be a
pain on
a box that that must have five 9s. I also alias all of the names in DNS
so
that we can change the names easily.
The hosts are kerberos.eamc.net and kerberos1.eamc.net, kerberos is the
primary
and kerberos1 is the slave.
kadmin
Authenticating as principal root/admin at EAMC.NET with password.
Enter password:
kadmin: addprinc -randkey host/kerberos.eamc.net
WARNING: no policy specified for host/kerberos.eamc.net at EAMC.NET;
defaulting to no policy
Principal "host/kerberos.eamc.net at EAMC.NET" created.
kadmin: addprinc -randkey host/kerberos-1.eamc.net
WARNING: no policy specified for host/kerberos-1.eamc.net at EAMC.NET;
defaulting to no policy
Principal "host/kerberos-1.eamc.net at EAMC.NET" created.
kadmin.local: addprinc -randkey host/mail.eamc.net
WARNING: no policy specified for host/mail.eamc.net at EAMC.NET; defaulting
to no policy
Principal "host/mail.eamc.net at EAMC.NET" created.
kadmin.local: addprinc -randkey host/webmail.eamc.net
WARNING: no policy specified for host/webmail.eamc.net at EAMC.NET;
defaulting to no policy
Principal "host/webmail.eamc.net at EAMC.NET" created.
ktadd kadmin/admin kadmin/changepw
Entry for principal kadmin/admin with kvno 4, encryption type Triple DES
cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal kadmin/admin with kvno 4, encryption type DES cbc
mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal kadmin/changepw with kvno 4, encryption type Triple
DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal kadmin/changepw with kvno 4, encryption type DES cbc
mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
kadmin.local: ktadd host/kerberos.eamc.net
Entry for principal host/kerberos.eamc.net with kvno 3, encryption type
Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/etc/krb5.keytab.
Entry for principal host/kerberos.eamc.net with kvno 3, encryption type
DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
NOTE: Make sure that the file listed at the end of the ktadd command
matches the entry in /var/kerberos/krb5kdc/kdc.conf
or you will get this error
Create kpropd.acl with entries for both Kerberos boxes.
# cat /var/kerberos/krb5kdc/kpropd.acl
host/kerberos.eamc.net at EAMC.NET
host/kerberos-1.eamc.net at EAMC.NET
Set up xinetd for access.
# cat krb5_prop
# 2004-01-27 Jud Bishop
# description: kpropd is the propagation daemon for Kerberos
service krb5_prop
{
flags = KEEPALIVE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/kpropd
# server_args = kpropd
enable = yes
}
# cat eklogin
# 2004-01-27 Jud Bishop
# Turned this on.
# description: The encrypting kerberized rlogin server accepts rlogin
sessions \
# authenticated and encrypted with Kerberos 5.
service eklogin
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/klogind
server_args = -e -5
disable = no
}
And restart xinetd.
# service xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
On the slave KDC copy over the following files from the master:
/var/kerberos/krb5kdc/kpropd.acl
/var/kerberos/krb5kdc/kadm5.acl
/var/kerberos/krb5kdc/kdc.conf
/etc/krb5.conf
/etc/xinetd.d/krb5_prop
/etc/xinetd.d/eklogin
Restart xinetd on the slave.
# service xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
Test one of the slave KDCs.
# kadmin
Authenticating as principal root/admin at EAMC.NET with password.
Enter password:
kprop: Client not found in Kerberos database while getting initial
ticket
Make sure you have
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
Extract the host keytabs for the KDCs on the slaves.
kadmin: ktadd host/kerberos-1.eamc.net
Entry for principal host/kerberos-1.eamc.net with kvno 3, encryption
type Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/etc/krb5.keytab.
Entry for principal host/kerberos-1.eamc.net with kvno 3, encryption
type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
kadmin: ktadd host/mail.eamc.net
Entry for principal host/mail.eamc.net with kvno 3, encryption type
Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/etc/krb5.keytab.
Entry for principal host/mail.eamc.net with kvno 3, encryption type DES
cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
kadmin: ktadd host/webmail.eamc.net
Entry for principal host/mail.eamc.net with kvno 3, encryption type
Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/etc/krb5.keytab.
Entry for principal host/mail.eamc.net with kvno 3, encryption type DES
cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
kadmin: listprincs
K/M at EAMC.NET
admin/admin at EAMC.NET
host/kerberos-1.eamc.net at EAMC.NET
host/kerberos.eamc.net at EAMC.NET
host/mail.eamc.net at EAMC.NET
host/webmail.eamc.net at EAMC.NET
kadmin/admin at EAMC.NET
kadmin/changepw at EAMC.NET
kadmin/history at EAMC.NET
krbtgt/EAMC.NET at EAMC.NET
misjlb/admin at EAMC.NET
root/admin at EAMC.NET
kadmin: exit
Propagate the database.
On the master:
# kdb5_util dump /var/kerberos/krb5kdc/slave_data_trans
More information about the Kerberos
mailing list