kpropd fails on multihomed KDCs set up according to FAQ

Michael Marziani mdmarziani at yahoo.com
Fri Jun 24 16:27:36 EDT 2005


I have scoured the internet for information on this error and found what should
be the answer in the Kerberos FAQ, only it still isn't working.

I'm running from kdc1:

/usr/krb5/sbin/kdb5_util dump /usr/krb5/lib/krb5kdc/slave_datatrans

then:

/usr/krb5/sbin/kprop -f /usr/krb5/lib/krb5kdc/slave_datatrans kdc2.mydomain.com

The error is:

/usr/krb5/sbin/kprop: Server rejected authentication (during sendauth exchange)
while authenticating to server
/usr/krb5/sbin/kprop: Incorrect net address signalled from server
Error text from server: Incorrect net address

I configured my DNS with the multi-homed hosts in mind as directed by Subject
2.14 of the Kerberos FAQ v2.0, using the "multiple address records per host"
scheme that the author recommends.  Output of the 'dig' command on both kdc1
and kdc2 shows all 3 addresses for each host pointing to the same hostname:

;; ANSWER SECTION:
kdc1.mydomain.com.  1D IN A  10.1.1.98
kdc1.mydomain.com.  1D IN A  10.1.1.99
kdc1.mydomain.com.  1D IN A  10.1.1.101

;; ANSWER SECTION:
kdc2.mydomain.com.  1D IN A  10.1.1.102
kdc2.mydomain.com.  1D IN A  10.1.1.103
kdc2.mydomain.com.  1D IN A  10.1.1.104

The reverse lookup records are all there as well and 'dig' confirms each one
matches the above forward lookup entries.

I'm using Solaris 9.  I know that I've confined the problem to the multihoming
because if I remove multihoming on kdc1 and re-try the replication, it works
fine.  Does anyone know what I might be doing wrong?.

Thanks and best regards,

-Michael


More information about the Kerberos mailing list