Problems with kpropd

Juliet Kemp j.kemp at
Mon Aug 14 11:24:20 EDT 2006

Mike Dopheide wrote:
> Hhmm.. okay.  First of all, you don't want to have the same keys in 
> krb5.keytab on both systems.  A system should really only have keys for 
> itself and any services it provides (like host/hostname, ftp/hostname, 
> etc).

Ah, right, OK.  Misapprehension there on my part; I'm still getting to 
grips with Kerberos.

I've now managed to fix the initial identity/key problems, by 
appropriate removing/recreating of principals so I now have

host/  in the master keytab,
host/   in the slave keytab
& both with KVNO that match the database.

The issue I'm now having is this error in the slave logs:

kpropd: Incorrect net address while decoding database size from client

I was hoping that this was related to the identity issue below, but I've 
now resolved that, so it seems not (unless it's another subtle 
difference?  e.g. the ticket having a address?  Might that 
happen?).  The only reference I can find in the list archives is to a 
multihoming issue, which doesn't apply here.

[ Solution to identity problem is below, for reference ]

Thanks very much for all the help given so far!  Thoughts on the latest 
stalling point welcome.


> But first you need to fix the identity crisis your server is having.  

hostname was returning correct; and /etc/hosts had:     elysium       localhost.localdomain  localhost 	elysium

Googling revealed some discussion on the Debian lists about this (the 
standard Debian ordering) being the wrong order ( ), as a 
result of which I've now replaced that last line with       localhost     localhost.localdomain   elysium

which works.  host/localhost.localdomain principal has now been removed.

> The master should have it's host/ in it's 
> /etc/krb5.keytab and the slave should have host/  
> The slave should also have a kpropd.acl with just the text 
> "host/", not the actual key.
> Hopefully that will get you further.
> -Mike
>> Mike Dopheide wrote:
>>> My first guess is that the slave KDC doesn't have a host/ entry in the
>>> principal database (and in it's krb5.keytab).  Check your kerberos logs
>>> and see if you're getting a client not found error for
>>> host/
>> Many thanks for this - it wasn't host/ but
>> host/localhost.localdomain (i.e. the requesting host) that was the 
>> problem.
>> Adding this to the principal database (& extracting it to keytabs on
>> both master & slave) fixed the immediate problem.  However:
>> a) I'd rather not have a host/localhost.localdomain principal.  How
>> should I ensure that the requesting host uses its proper name?
>> b) I've now encountered another problem:
>>  kprop -d -r PH.IC.AC.UK -f test_kerb_slave_db
>> gives
>> kprop: Decrypt integrity check failed while getting initial ticket
>> I found this thread:
>> & discovered a key number mismatch on the master.  Curiously, it seems
>> that on adding host/localhost.localdomain, its kvno was 4, but the first
>> time I extracted it, its kvno was 3.  Is this normal/correct?  Anyway, I
>> fixed that, but then got this error:
>> kprop: Server rejected authentication (during sendauth exchange) while
>> authenticating to server
>> Generic remote error: Key version number for principal in key table is
>> incorrect
>> I tried to fix this by extracting the key to the slave keytab: after
>> this I was back to the original error:
>> kprop: Decrypt integrity check failed while getting initial ticket
>> At this point, on the master, the kvno matches in keytab & main
>> database; but it doesn't on the slave.  I can't see how to fix this,
>> since each extraction seems to +1 to the kvno.
>> However, kinit as host/localhost.localdomain, using the relevant keytab,
>> works on both master & slave.
>> I'm kind of stuck at this point!  Any suggestions would be much 
>> appreciated!
>> Regards,
>> Juliet

+ Ms Juliet Kemp                                                +
+ Computer Manager		            star at         +
+ Astrophysics Group                                            +
+ Imperial College                  Tel: +44 (0)20759 47538     +
+ London. SW7 2AZ                   Fax: +44 (0)20759 47541     +

More information about the Kerberos mailing list