Problems with kpropd

Mike Dopheide dopheide at ncsa.uiuc.edu
Fri Aug 11 16:09:00 EDT 2006 

Hhmm.. okay.  First of all, you don't want to have the same keys in 
krb5.keytab on both systems.  A system should really only have keys for 
itself and any services it provides (like host/hostname, ftp/hostname, 
etc).

So that's probably why you're seeing the key version number problem. 
Every time you run ktadd it's going to randomize the key before writing it 
out to the file.

But first you need to fix the identity crisis your server is having.  I'm 
guessing it doesn't have it's hostname set so it's defaulting to 
localhost.  What does 'hostname' return?  Your systems should think of 
themselves with a real hostnames and have those entries in /etc/hosts with 
the fqdn listed first.  ie, for your slave:

155.198.204.170  rapanui.ph.ic.ac.uk  rapanui

The master should have it's host/master.ph.ic.ac.uk in it's 
/etc/krb5.keytab and the slave should have host/rapanui.ph.ic.ac.uk.  The 
slave should also have a kpropd.acl with just the text 
"host/master.ph.ic.ac.uk", not the actual key.

Hopefully that will get you further.

-Mike

> Mike Dopheide wrote:
>>
>> My first guess is that the slave KDC doesn't have a host/ entry in the
>> principal database (and in it's krb5.keytab).  Check your kerberos logs
>> and see if you're getting a client not found error for
>> host/rapanui.ph.ic.ac.uk
>
> Many thanks for this - it wasn't host/rapanui.ph.ic.ac.uk but
> host/localhost.localdomain (i.e. the requesting host) that was the problem.
>
> Adding this to the principal database (& extracting it to keytabs on
> both master & slave) fixed the immediate problem.  However:
>
> a) I'd rather not have a host/localhost.localdomain principal.  How
> should I ensure that the requesting host uses its proper name?
>
> b) I've now encountered another problem:
>  kprop -d -r PH.IC.AC.UK -f test_kerb_slave_db rapanui.ph.ic.ac.uk
> gives
> kprop: Decrypt integrity check failed while getting initial ticket
>
> I found this thread:
> http://mailman.mit.edu/pipermail/kerberos/2006-July/010082.html
>
> & discovered a key number mismatch on the master.  Curiously, it seems
> that on adding host/localhost.localdomain, its kvno was 4, but the first
> time I extracted it, its kvno was 3.  Is this normal/correct?  Anyway, I
> fixed that, but then got this error:
>
> kprop: Server rejected authentication (during sendauth exchange) while
> authenticating to server
> Generic remote error: Key version number for principal in key table is
> incorrect
>
> I tried to fix this by extracting the key to the slave keytab: after
> this I was back to the original error:
>
> kprop: Decrypt integrity check failed while getting initial ticket
>
> At this point, on the master, the kvno matches in keytab & main
> database; but it doesn't on the slave.  I can't see how to fix this,
> since each extraction seems to +1 to the kvno.
>
> However, kinit as host/localhost.localdomain, using the relevant keytab,
> works on both master & slave.
>
> I'm kind of stuck at this point!  Any suggestions would be much appreciated!
>
>
> Regards,
> Juliet
>
> -- 
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> + Ms Juliet Kemp                                                +
> + Computer Manager		            star at imperial.ac.uk         +
> + Astrophysics Group                                            +
> + Imperial College                  Tel: +44 (0)20759 47538     +
> + London. SW7 2AZ                   Fax: +44 (0)20759 47541     +
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list