kprop fails on multihomed KDCs set up according to FAQ (solved)

[Michael Marziani]

Many thanks to the people that helped me with this.

After a few dead ends I decided to just compile the MIT code on my Solaris 9
box and see if the kprop included with that would work.  Turns out it worked
just fine, and communicated with the Sun SEAM KDCs with no problems.  I'm not
sure at what point Sun forked MIT's code but it's happy now and I really
appreciate the quick response by the people on this list.

I'm going to stick around and see what help I may be to other users.

Thanks again,

-Michael


--- Ken Hornstein <kenh at cmf.nrl.navy.mil> wrote:

> >/usr/krb5/sbin/kprop: Server rejected authentication (during sendauth
> exchange)
> >while authenticating to server
> >/usr/krb5/sbin/kprop: Incorrect net address signalled from server
> >Error text from server: Incorrect net address
> 
> Hm.  DNS really shouldn't affect things in this way (usually the problem
> lies with resolving hostnames for the service principal name).
> 
> Based on these error messages, the server is rejecting the AP_REQ that
> the client sends to it, based on the IP address in it.  The IP address(es)
> in the AP_REQ come from the IP addresses that the client detects that
> the host has (the client walks the interface list and for every interface
> it finds, it adds it to the AP_REQ).
> 
> It seems to me that however you're doing multihoming, the Kerberos
> client code isn't detecting the additional interfaces correctly.  Are
> these "real" additional interfaces, or are they aliases or virtual
> interfaces?  If they're aliases, then I would guess that's the
> problem.  That's probably a bug ... but if that's the problem, I'd ask
> why you're doing multihoming that way, because if they're on the same
> network, you won't gain any reliability (IMHO).
> 
> --Ken
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>