kprop issue: server rejected authentication....

Nick Bernstein nbernstein at frontbridge.com
Tue Apr 12 21:23:36 EDT 2005


Man, I've been trying to figure this one out for a while. I've rebuilt my
kdcs - both slave and master - twice. I've checked and re-checked my host
files on both machines. I've re-done my acl numerous times. I scripted the
entire process so that I would be sure that I didn't deviate from the
instructions. I'm fricken stumped. I can't get kprop to work. 
 
Lets start at the error, and then I'll go over what I've done to get here :
 
-------
command: 
kprop -f /tmp/krb5.db.dump ks.frontbridge.com
 
kprop: Server rejected authentication (during sendauth exchange) while
authenticating to server Generic remote error: Wrong principal in request
-------
 
I used the following scripts to setup the servers. setup_kdc.sh for both the
kdc (kerberos) and the slave (ks), and then ran setup_slave on ks. Next I
ran the commands in kprop-master to try to transfer the files over to ks. 
 
I'd really appreciate some help, I can't seem to figure this out and I've
been banging my head on this for almost two weeks now. 
 
Thanks in advance,
Nick
 
 
---------
conf.txt
---------
# Variables
 

KDC="192.168.1.208"
KDC_HN="kerberos"
 

KDC2="192.168.1.207"
KDC2_HN="ks"
 

KC="192.168.1.216"
KC_HN="kc"
 

KRB_DOMAIN="FRONTBRIDGE.COM"
DOMAIN_NAME="frontbridge.com"
FQDN="${KDC_HN}.${DOMAIN_NAME}"
 

KBIN="/usr/kerberos/bin/"
KSBIN="/usr/kerberos/sbin"
YOUR_USER="nickb"
NTP_SERVER="pool.ntp.org"
KDC_ROOT="/var/kerberos/krb5kdc"
 
# Functions
 

function die {
        echo "$1"
        exit 1
}
 
function summary {

# Summerize the variables and make sure they are correct before running
 
 clear
 echo "Primary KDC: $KDC aka $KDC_HN"
 echo "Secondary KDC: $KDC aka $KDC2_HN"
 echo "Kerberos Client: $KC aka $KC_HN"
 echo ""
 echo "Kerberos Domain: $KRB_DOMAIN"
 echo "Domain Name: $DOMAIN_NAME"
 echo "System's FQDN: $FQDN"
 echo ""
 echo "Kerberos normal binaries: $KBIN"
 echo "Kerberos sbin binaries: $KSBIN"
 echo "Kerberos Root: $KDC_ROOT"
 echo "your User: $YOUR_USER"
 echo "Ntp Server: $NTP_SERVER"
 

 CONTINUE="N"
 read -t 10 -p "Is this Correct (y/n): " CONTINUE
 if [[ $CONTINUE == "y" ]] ; then
         echo "works"
 else
         echo "Please edit the variables in the beginning"
         echo "of the script and make the needed changes."
 fi
} 
 
function add_ntp {
 crontab -l > /tmp/crontab
 echo "* * * * * /usr/sbin/ntpdate $NTP_SERVER 1>/dev/null" >> /tmp/crontab
 crontab /tmp/crontab || die "could not create new crontab"
 echo "added ntpdate to crontab"
 
}
 
function create_hostsfile { 
 
 cp /etc/hosts /etc/hosts.back || die "could not backup /etc/hosts"
cat <<EOT >> /etc/hosts
$KDC    ${KDC_HN}.${DOMAIN_NAME}        $KDC_HN
$KDC2   ${KDC2_HN}.${DOMAIN_NAME}       $KDC2_HN
$KC     ${KC_HN}.${DOMAIN_NAME} $KC_HN
EOT
 echo "set hostname and created minimal /etc/hosts"
 
}
---------
kprop-master.sh
---------
#!/bin/bash
/usr/kerberos/sbin/kdb5_util dump /tmp/krb5.db.dump
/usr/kerberos/sbin/kprop -f /tmp/krb5.db.dump ks.frontbridge.com
---------
newfile
---------
---------\n
---------\n
---------\n
---------\n
---------\n
---------
setup_client.sh
---------
#!/bin/bash
#=== standard ===#
. conf.txt
summary
#================#
 
/usr/sbin/authconfig  --krb5kdc=${KDC_HN} \
    --krb5adminserver=${KDC_HN} \
    --krb5realm=${KRB_DOMAIN}
 
add_ntp
hostname ${KC_HN.$DOMAIN_NAME}
create_hostsfile
---------
setup_kdc.sh
---------
#!/bin/bash
 
#=== standard ===#
. conf.txt
summary
#================#
 

CONTINUE="N"
read -t 10 -p "Is this Correct (y/n): " CONTINUE
if [[ $CONTINUE == "y" ]] ; then 
 echo "works" 
else 
 echo "Please edit the variables in the beginning"
 echo "of the script and make the needed changes."
fi
 
#function do_main { 
# Setup ntp to get the clock synced. 
# this will be replaced with ntpd once kerberos is not running
# in a vm on my laptop
 
crontab -l > /tmp/crontab
echo "* * * * * /usr/sbin/ntpdate $NTP_SERVER" >> /tmp/crontab
crontab /tmp/crontab || die "could not create new crontab"
echo "added ntpdate to crontab"
 
# put the kerberos host, the kerberos slave, and the kerberos client in
# the /etc/hosts/file
# set the hostname
 
/bin/hostname $FQDN || die "cound not set hostname"
cp /etc/hosts /etc/hosts.back || die "could not backup /etc/hosts"
cat <<EOT >> /etc/hosts
$KDC ${KDC_HN}.${DOMAIN_NAME} $KDC_HN
$KDC2 ${KDC2_HN}.${DOMAIN_NAME} $KDC2_HN
$KC ${KC_HN}.${DOMAIN_NAME} $KC_HN
EOT
echo "set hostname and created minimal /etc/hosts" 
 
# Setup our kerb5.conf using redhat's example
 
cp /etc/krb5.conf /etc/krb5.conf.orig || die "could not backup
/etc/krb.conf"
cat <<EOT > /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
 ticket_lifetime = 24000
 default_realm = $KRB_DOMAIN
 dns_lookup_realm = false
 dns_lookup_kdc = false
 
[realms]
 $KRB_DOMAIN = {
  kdc = $KDC_HN.$DOMAIN_NAME:88
  admin_server = $KDC_HN.$DOMAIN_NAME:749
  default_domain = $DOMAIN_NAME
 }
 
[domain_realm]
 .$DOMAIN_NAME = $KRB_DOMAIN
 $DOMAIN_NAME = $KRB_DOMAIN
 
[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf
 
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
EOT
echo "created inital krb5.conf"
 
# Create the skeleton database for the new realm
# then add the inital admin user in under the admin
# "group: 
 
$KSBIN/kdb5_util create -s || die "could not create skeleton db"
echo "skeleton database created; here are the initial principals:"
$KSBIN/kadmin.local -q 'listprincs' || die "coult not query db (1)"
$KSBIN/kadmin.local -q "addprinc $YOUR_USER/admin" || die "could not add
$USER"
 
# start the kdc 
# and get the inital ticket
 
/sbin/service krb5kdc start || die "could not start krb5kdc"
$KBIN/kinit $YOUR_USER/admin || die "could not run kinit"
 
# Setup kerberos access list
# to contain all users with an 
# admin principal in their name
 
cp /var/kerberos/krb5kdc/kadm5.acl /var/kerberos/krb5kdc/kadm5.acl.orig ||
die "coult not backup kadm5.acl"
echo "*/admin@$KRB_DOMAIN     *" > /var/kerberos/krb5kdc/kadm5.acl || die
"could not create kadm5.acl"
echo "created inital access list in /var/kerberos/krb5dv/kadm5.acl"
 
# add kadmin/admin and kadmin/changepw to the keytab
# enabling us to use kadmin over the network, not
# just kadmin.local 
 
$KSBIN/kadmin.local -q "ktadd kadmin/admin kadmin/changepw" || die "could
not add kadmin/admin or kadmin/changepw - kadmin will not function
correctly" 
echo "created kadmin/admin kadmin/changpw entries in keytab"
/sbin/service kadmin start || die "could not start kadmin"
 
# Turn on for runlevel 3 so this still works after rebooting.
 
/sbin/chkconfig krb5kdc --levels 3 on
/sbin/chkconfig kadmin  --levels 3 on
 

#}
 
# KDC principals
$KSBIN/kadmin.local -q "addprinc -randkey host/${KDC_HN}.$DOMAIN_NAME"
$KSBIN/kadmin.local -q "ktadd host/${KDC_HN}.$DOMAIN_NAME"
$KSBIN/kadmin.local -q "addprinc -randkey sample/${KDC_HN}.$DOMAIN_NAME"
$KSBIN/kadmin.local -q "ktadd sample/${KDC_HN}.$DOMAIN_NAME"
 
# KDC2 principals
$KSBIN/kadmin.local -q "addprinc -randkey host/${KDC2_HN}.$DOMAIN_NAME"
$KSBIN/kadmin.local -q "ktadd host/${KDC2_HN}.$DOMAIN_NAME"
$KSBIN/kadmin.local -q "addprinc -randkey sample/${KDC2_HN}.$DOMAIN_NAME"
$KSBIN/kadmin.local -q "ktadd sample/${KDC2_HN}.$DOMAIN_NAME"
 
# KC principals
$KSBIN/kadmin.local -q "addprinc -randkey host/${KC_HN}.$DOMAIN_NAME"
$KSBIN/kadmin.local -q "ktadd host/${KC_HN}.$DOMAIN_NAME"
$KSBIN/kadmin.local -q "addprinc -randkey sample/${KC_HN}.$DOMAIN_NAME"
$KSBIN/kadmin.local -q "ktadd sample/${KC_HN}.$DOMAIN_NAME"
 
# Add the root user
 
$KSBIN/kadmin.local -q 'addprinc root'
$KSBIN/kadmin.local -q 'ktadd root'
---------
setup_slave.sh
---------
#!/bin/bash
#=== standard ===#
. conf.txt
summary
#================#
 
# add the kpropd service to xinetd
 
cat <<EOT > /etc/xinetd.d/krb5_prop
# default: off
# description: The kerberized telnet server accepts normal telnet sessions,
\
#              but can also use Kerberos 5 authentication.
service krb5_prop
{
 flags  = REUSE
 socket_type = stream        
 wait  = no
 user  = root
 server  = $KSBIN/kpropd 
 log_on_failure += USERID
 disable  = no
}
EOT
echo "krb5_prop 754/tcp" >> /etc/services
 
# create the kpropd access control list
# which limits which servers can send us
# updates
 
cat <<EOT > $KDC_ROOT/kpropd.acl
host/${KDC_HN}.${DOMAIN_NAME}@${KRB_DOMAIN}
host/${KDC2_HN}.${DOMAIN_NAME}@${KRB_DOMAIN}
EOT
 
# Copy over the keytab
 
echo "Now going to copy over the /etc/krb5.keytab
scp $KDC_HN.$DOMAIN_NAME:/etc/krb5/keytab /etc/krb5.keytab
 

# Restart xinetd so the changes will
# take effect
 
service xinetd restart




FrontBridge introduces Message Archive and Secure Email. Get leading Enterprise Message Security services from FrontBridge. www.frontbridge.com.




More information about the Kerberos mailing list