kprop issue: server rejected authentication....
Nick Bernstein
nbernstein at frontbridge.com
Tue Apr 12 21:23:36 EDT 2005
Man, I've been trying to figure this one out for a while. I've rebuilt my
kdcs - both slave and master - twice. I've checked and re-checked my host
files on both machines. I've re-done my acl numerous times. I scripted the
entire process so that I would be sure that I didn't deviate from the
instructions. I'm fricken stumped. I can't get kprop to work.
Lets start at the error, and then I'll go over what I've done to get here :
-------
command:
kprop -f /tmp/krb5.db.dump ks.frontbridge.com
kprop: Server rejected authentication (during sendauth exchange) while
authenticating to server Generic remote error: Wrong principal in request
-------
I used the following scripts to setup the servers. setup_kdc.sh for both the
kdc (kerberos) and the slave (ks), and then ran setup_slave on ks. Next I
ran the commands in kprop-master to try to transfer the files over to ks.
I'd really appreciate some help, I can't seem to figure this out and I've
been banging my head on this for almost two weeks now.
Thanks in advance,
Nick
---------
conf.txt
---------
# Variables
KDC="192.168.1.208"
KDC_HN="kerberos"
KDC2="192.168.1.207"
KDC2_HN="ks"
KC="192.168.1.216"
KC_HN="kc"
KRB_DOMAIN="FRONTBRIDGE.COM"
DOMAIN_NAME="frontbridge.com"
FQDN="${KDC_HN}.${DOMAIN_NAME}"
KBIN="/usr/kerberos/bin/"
KSBIN="/usr/kerberos/sbin"
YOUR_USER="nickb"
NTP_SERVER="pool.ntp.org"
KDC_ROOT="/var/kerberos/krb5kdc"
# Functions
function die {
echo "$1"
exit 1
}
function summary {
# Summerize the variables and make sure they are correct before running
clear
echo "Primary KDC: $KDC aka $KDC_HN"
echo "Secondary KDC: $KDC aka $KDC2_HN"
echo "Kerberos Client: $KC aka $KC_HN"
echo ""
echo "Kerberos Domain: $KRB_DOMAIN"
echo "Domain Name: $DOMAIN_NAME"
echo "System's FQDN: $FQDN"
echo ""
echo "Kerberos normal binaries: $KBIN"
echo "Kerberos sbin binaries: $KSBIN"
echo "Kerberos Root: $KDC_ROOT"
echo "your User: $YOUR_USER"
echo "Ntp Server: $NTP_SERVER"
CONTINUE="N"
read -t 10 -p "Is this Correct (y/n): " CONTINUE
if [[ $CONTINUE == "y" ]] ; then
echo "works"
else
echo "Please edit the variables in the beginning"
echo "of the script and make the needed changes."
fi
}
function add_ntp {
crontab -l > /tmp/crontab
echo "* * * * * /usr/sbin/ntpdate $NTP_SERVER 1>/dev/null" >> /tmp/crontab
crontab /tmp/crontab || die "could not create new crontab"
echo "added ntpdate to crontab"
}
function create_hostsfile {
cp /etc/hosts /etc/hosts.back || die "could not backup /etc/hosts"
cat <<EOT >> /etc/hosts
$KDC ${KDC_HN}.${DOMAIN_NAME} $KDC_HN
$KDC2 ${KDC2_HN}.${DOMAIN_NAME} $KDC2_HN
$KC ${KC_HN}.${DOMAIN_NAME} $KC_HN
EOT
echo "set hostname and created minimal /etc/hosts"
}
---------
kprop-master.sh
---------
#!/bin/bash
/usr/kerberos/sbin/kdb5_util dump /tmp/krb5.db.dump
/usr/kerberos/sbin/kprop -f /tmp/krb5.db.dump ks.frontbridge.com
---------
newfile
---------
---------\n
---------\n
---------\n
---------\n
---------\n
---------
setup_client.sh
---------
#!/bin/bash
#=== standard ===#
. conf.txt
summary
#================#
/usr/sbin/authconfig --krb5kdc=${KDC_HN} \
--krb5adminserver=${KDC_HN} \
--krb5realm=${KRB_DOMAIN}
add_ntp
hostname ${KC_HN.$DOMAIN_NAME}
create_hostsfile
---------
setup_kdc.sh
---------
#!/bin/bash
#=== standard ===#
. conf.txt
summary
#================#
CONTINUE="N"
read -t 10 -p "Is this Correct (y/n): " CONTINUE
if [[ $CONTINUE == "y" ]] ; then
echo "works"
else
echo "Please edit the variables in the beginning"
echo "of the script and make the needed changes."
fi
#function do_main {
# Setup ntp to get the clock synced.
# this will be replaced with ntpd once kerberos is not running
# in a vm on my laptop
crontab -l > /tmp/crontab
echo "* * * * * /usr/sbin/ntpdate $NTP_SERVER" >> /tmp/crontab
crontab /tmp/crontab || die "could not create new crontab"
echo "added ntpdate to crontab"
# put the kerberos host, the kerberos slave, and the kerberos client in
# the /etc/hosts/file
# set the hostname
/bin/hostname $FQDN || die "cound not set hostname"
cp /etc/hosts /etc/hosts.back || die "could not backup /etc/hosts"
cat <<EOT >> /etc/hosts
$KDC ${KDC_HN}.${DOMAIN_NAME} $KDC_HN
$KDC2 ${KDC2_HN}.${DOMAIN_NAME} $KDC2_HN
$KC ${KC_HN}.${DOMAIN_NAME} $KC_HN
EOT
echo "set hostname and created minimal /etc/hosts"
# Setup our kerb5.conf using redhat's example
cp /etc/krb5.conf /etc/krb5.conf.orig || die "could not backup
/etc/krb.conf"
cat <<EOT > /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = $KRB_DOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
$KRB_DOMAIN = {
kdc = $KDC_HN.$DOMAIN_NAME:88
admin_server = $KDC_HN.$DOMAIN_NAME:749
default_domain = $DOMAIN_NAME
}
[domain_realm]
.$DOMAIN_NAME = $KRB_DOMAIN
$DOMAIN_NAME = $KRB_DOMAIN
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
EOT
echo "created inital krb5.conf"
# Create the skeleton database for the new realm
# then add the inital admin user in under the admin
# "group:
$KSBIN/kdb5_util create -s || die "could not create skeleton db"
echo "skeleton database created; here are the initial principals:"
$KSBIN/kadmin.local -q 'listprincs' || die "coult not query db (1)"
$KSBIN/kadmin.local -q "addprinc $YOUR_USER/admin" || die "could not add
$USER"
# start the kdc
# and get the inital ticket
/sbin/service krb5kdc start || die "could not start krb5kdc"
$KBIN/kinit $YOUR_USER/admin || die "could not run kinit"
# Setup kerberos access list
# to contain all users with an
# admin principal in their name
cp /var/kerberos/krb5kdc/kadm5.acl /var/kerberos/krb5kdc/kadm5.acl.orig ||
die "coult not backup kadm5.acl"
echo "*/admin@$KRB_DOMAIN *" > /var/kerberos/krb5kdc/kadm5.acl || die
"could not create kadm5.acl"
echo "created inital access list in /var/kerberos/krb5dv/kadm5.acl"
# add kadmin/admin and kadmin/changepw to the keytab
# enabling us to use kadmin over the network, not
# just kadmin.local
$KSBIN/kadmin.local -q "ktadd kadmin/admin kadmin/changepw" || die "could
not add kadmin/admin or kadmin/changepw - kadmin will not function
correctly"
echo "created kadmin/admin kadmin/changpw entries in keytab"
/sbin/service kadmin start || die "could not start kadmin"
# Turn on for runlevel 3 so this still works after rebooting.
/sbin/chkconfig krb5kdc --levels 3 on
/sbin/chkconfig kadmin --levels 3 on
#}
# KDC principals
$KSBIN/kadmin.local -q "addprinc -randkey host/${KDC_HN}.$DOMAIN_NAME"
$KSBIN/kadmin.local -q "ktadd host/${KDC_HN}.$DOMAIN_NAME"
$KSBIN/kadmin.local -q "addprinc -randkey sample/${KDC_HN}.$DOMAIN_NAME"
$KSBIN/kadmin.local -q "ktadd sample/${KDC_HN}.$DOMAIN_NAME"
# KDC2 principals
$KSBIN/kadmin.local -q "addprinc -randkey host/${KDC2_HN}.$DOMAIN_NAME"
$KSBIN/kadmin.local -q "ktadd host/${KDC2_HN}.$DOMAIN_NAME"
$KSBIN/kadmin.local -q "addprinc -randkey sample/${KDC2_HN}.$DOMAIN_NAME"
$KSBIN/kadmin.local -q "ktadd sample/${KDC2_HN}.$DOMAIN_NAME"
# KC principals
$KSBIN/kadmin.local -q "addprinc -randkey host/${KC_HN}.$DOMAIN_NAME"
$KSBIN/kadmin.local -q "ktadd host/${KC_HN}.$DOMAIN_NAME"
$KSBIN/kadmin.local -q "addprinc -randkey sample/${KC_HN}.$DOMAIN_NAME"
$KSBIN/kadmin.local -q "ktadd sample/${KC_HN}.$DOMAIN_NAME"
# Add the root user
$KSBIN/kadmin.local -q 'addprinc root'
$KSBIN/kadmin.local -q 'ktadd root'
---------
setup_slave.sh
---------
#!/bin/bash
#=== standard ===#
. conf.txt
summary
#================#
# add the kpropd service to xinetd
cat <<EOT > /etc/xinetd.d/krb5_prop
# default: off
# description: The kerberized telnet server accepts normal telnet sessions,
\
# but can also use Kerberos 5 authentication.
service krb5_prop
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = $KSBIN/kpropd
log_on_failure += USERID
disable = no
}
EOT
echo "krb5_prop 754/tcp" >> /etc/services
# create the kpropd access control list
# which limits which servers can send us
# updates
cat <<EOT > $KDC_ROOT/kpropd.acl
host/${KDC_HN}.${DOMAIN_NAME}@${KRB_DOMAIN}
host/${KDC2_HN}.${DOMAIN_NAME}@${KRB_DOMAIN}
EOT
# Copy over the keytab
echo "Now going to copy over the /etc/krb5.keytab
scp $KDC_HN.$DOMAIN_NAME:/etc/krb5/keytab /etc/krb5.keytab
# Restart xinetd so the changes will
# take effect
service xinetd restart
FrontBridge introduces Message Archive and Secure Email. Get leading Enterprise Message Security services from FrontBridge. www.frontbridge.com.
More information about the Kerberos
mailing list