Problems with kpropd

Juliet Kemp j.kemp at imperial.ac.uk
Mon Aug 14 11:24:20 EDT 2006 

Mike Dopheide wrote:
> 
> Hhmm.. okay.  First of all, you don't want to have the same keys in 
> krb5.keytab on both systems.  A system should really only have keys for 
> itself and any services it provides (like host/hostname, ftp/hostname, 
> etc).

Ah, right, OK.  Misapprehension there on my part; I'm still getting to 
grips with Kerberos.

I've now managed to fix the initial identity/key problems, by 
appropriate removing/recreating of principals so I now have

host/elysium.ph.ic.ac.uk  in the master keytab,
host/rapanui.ph.ic.ac.uk   in the slave keytab
& both with KVNO that match the database.

The issue I'm now having is this error in the slave logs:

kpropd: Incorrect net address while decoding database size from client

I was hoping that this was related to the identity issue below, but I've 
now resolved that, so it seems not (unless it's another subtle 
difference?  e.g. the ticket having a 127.0.0.1 address?  Might that 
happen?).  The only reference I can find in the list archives is to a 
multihoming issue, which doesn't apply here.

[ Solution to identity problem is below, for reference ]

Thanks very much for all the help given so far!  Thoughts on the latest 
stalling point welcome.


Regards,
Juliet


> But first you need to fix the identity crisis your server is having.  

hostname was returning correct; and /etc/hosts had:

155.198.204.57  elysium.ph.ic.ac.uk     elysium
127.0.0.1       localhost.localdomain  localhost 	elysium

Googling revealed some discussion on the Debian lists about this (the 
standard Debian ordering) being the wrong order ( 
http://lists.debian.org/debian-devel/2005/10/msg00387.html ), as a 
result of which I've now replaced that last line with

127.0.0.1       localhost     localhost.localdomain   elysium

which works.  host/localhost.localdomain principal has now been removed.


> 
> The master should have it's host/master.ph.ic.ac.uk in it's 
> /etc/krb5.keytab and the slave should have host/rapanui.ph.ic.ac.uk.  
> The slave should also have a kpropd.acl with just the text 
> "host/master.ph.ic.ac.uk", not the actual key.
> 
> Hopefully that will get you further.
> 
> -Mike
> 
>> Mike Dopheide wrote:
>>>
>>> My first guess is that the slave KDC doesn't have a host/ entry in the
>>> principal database (and in it's krb5.keytab).  Check your kerberos logs
>>> and see if you're getting a client not found error for
>>> host/rapanui.ph.ic.ac.uk
>>
>> Many thanks for this - it wasn't host/rapanui.ph.ic.ac.uk but
>> host/localhost.localdomain (i.e. the requesting host) that was the 
>> problem.
>>
>> Adding this to the principal database (& extracting it to keytabs on
>> both master & slave) fixed the immediate problem.  However:
>>
>> a) I'd rather not have a host/localhost.localdomain principal.  How
>> should I ensure that the requesting host uses its proper name?
>>
>> b) I've now encountered another problem:
>>  kprop -d -r PH.IC.AC.UK -f test_kerb_slave_db rapanui.ph.ic.ac.uk
>> gives
>> kprop: Decrypt integrity check failed while getting initial ticket
>>
>> I found this thread:
>> http://mailman.mit.edu/pipermail/kerberos/2006-July/010082.html
>>
>> & discovered a key number mismatch on the master.  Curiously, it seems
>> that on adding host/localhost.localdomain, its kvno was 4, but the first
>> time I extracted it, its kvno was 3.  Is this normal/correct?  Anyway, I
>> fixed that, but then got this error:
>>
>> kprop: Server rejected authentication (during sendauth exchange) while
>> authenticating to server
>> Generic remote error: Key version number for principal in key table is
>> incorrect
>>
>> I tried to fix this by extracting the key to the slave keytab: after
>> this I was back to the original error:
>>
>> kprop: Decrypt integrity check failed while getting initial ticket
>>
>> At this point, on the master, the kvno matches in keytab & main
>> database; but it doesn't on the slave.  I can't see how to fix this,
>> since each extraction seems to +1 to the kvno.
>>
>> However, kinit as host/localhost.localdomain, using the relevant keytab,
>> works on both master & slave.
>>
>> I'm kind of stuck at this point!  Any suggestions would be much 
>> appreciated!
>>
>>
>> Regards,
>> Juliet

-- 
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ Ms Juliet Kemp                                                +
+ Computer Manager		            star at imperial.ac.uk         +
+ Astrophysics Group                                            +
+ Imperial College                  Tel: +44 (0)20759 47538     +
+ London. SW7 2AZ                   Fax: +44 (0)20759 47541     +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

More information about the Kerberos mailing list