Dump to slave fails; "Password has expired while getting initial ticket"
Yeechang Lee
ylee at pobox.com
Sat Sep 17 17:31:01 EDT 2005
Jeffrey Hutzelman wrote:
> > /usr/kerberos/sbin/kprop: Password has expired while getting
> > initial ticket
>
> I believe the principal you're looking for is kprop/fqdn.of.master.kdc
Close; it turned out to be host/fqdn.of.master.kdc at EXAMPLE.COM.
> You should probably arrange for it not to have a password expiration
> policy.
For others benefit, here's how I did this:
kadmin: listprincs
[...]
host/fqdn.of.master.kdc at EXAMPLE.COM
host/fqdn.of.slave.kdc at EXAMPLE.COM
host/another.machine.in.realm at EXAMPLE.COM
[...]
kadmin: getprinc host/fqdn.of.master.kdc at EXAMPLE.COM
[...]
Password expiration date: Thu Aug 25 12:30:07 PDT 2005
[...]
kadmin: modify_principal -pwexpire never host/fqdn.of.master.kdc at EXAMPLE.COM
Principal "host/fqdn.of.master.kdc at EXAMPLE.COM" modified.
kadmin: modify_principal -pwexpire never host/fqdn.of.slave.kdc at EXAMPLE.COM
Principal "host/fqdn.of.slave.kdc at EXAMPLE.COM" modified.
kadmin: modify_principal -pwexpire never \
host/another.machine.in.realm at EXAMPLE.COM
Principal "host/another.machine.in.network at EXAMPLE.COM" modified.
I then copied /var/kerberos/krb5kdc/principal from the master to the
slave KDC. Now the database propagation works again.
(I don't know if I only had to turn off password expiration for the
master or slave KDC's host principal, and I surely didn't have to do
so for the third, non-KDC machine in my home network/realm. However, I
figured it made sense to be consistent across the board; after all,
who knows if I'll one day run a slave KDC on the third machinhe as
well?)
--
<URL:http://www.pobox.com/~ylee/> PERTH ----> *
Homemade 2.8TB RAID 5 storage array:
<URL:http://groups.google.ca/groups?selm=slrnd1g04a.5mt.ylee%40pobox.com>
More information about the Kerberos
mailing list