Problems with kpropd

Juliet Kemp j.kemp at
Fri Aug 11 11:01:51 EDT 2006

Mike Dopheide wrote:
> My first guess is that the slave KDC doesn't have a host/ entry in the 
> principal database (and in it's krb5.keytab).  Check your kerberos logs 
> and see if you're getting a client not found error for 
> host/

Many thanks for this - it wasn't host/ but 
host/localhost.localdomain (i.e. the requesting host) that was the problem.

Adding this to the principal database (& extracting it to keytabs on 
both master & slave) fixed the immediate problem.  However:

a) I'd rather not have a host/localhost.localdomain principal.  How 
should I ensure that the requesting host uses its proper name?

b) I've now encountered another problem:
  kprop -d -r PH.IC.AC.UK -f test_kerb_slave_db
kprop: Decrypt integrity check failed while getting initial ticket

I found this thread:

& discovered a key number mismatch on the master.  Curiously, it seems 
that on adding host/localhost.localdomain, its kvno was 4, but the first 
time I extracted it, its kvno was 3.  Is this normal/correct?  Anyway, I 
fixed that, but then got this error:

kprop: Server rejected authentication (during sendauth exchange) while 
authenticating to server
Generic remote error: Key version number for principal in key table is 

I tried to fix this by extracting the key to the slave keytab: after 
this I was back to the original error:

kprop: Decrypt integrity check failed while getting initial ticket

At this point, on the master, the kvno matches in keytab & main 
database; but it doesn't on the slave.  I can't see how to fix this, 
since each extraction seems to +1 to the kvno.

However, kinit as host/localhost.localdomain, using the relevant keytab, 
works on both master & slave.

I'm kind of stuck at this point!  Any suggestions would be much appreciated!


+ Ms Juliet Kemp                                                +
+ Computer Manager		            star at         +
+ Astrophysics Group                                            +
+ Imperial College                  Tel: +44 (0)20759 47538     +
+ London. SW7 2AZ                   Fax: +44 (0)20759 47541     +

More information about the Kerberos mailing list