Problem with kerberos and backup

francK.costes@wanadoo.fr francK.costes at wanadoo.fr
Fri Feb 10 08:54:01 EST 2006 

Hi all,

my name is franck, i am french student, and i must do a backup kerberos
for me.
I'm following Kerberos -The Definitive Guide- (official book) and the
Kerberos V5 System Administrator's Guide.

(i'm confused for my english mistakes).

My master KDC is a Debian Linux (192.168.1.254) and my slave KDC is a
Mandrake (192.168.1.253).

Kadmin in master KDC is ok.
Kadmin in slave KDC is ok.
(when i add the slave's machine in kadmin in slave KDC, this
information is broadcast in the kadmin in master KDC so there is a
transfert between this two machines).

I created kpropd.acl  in /etc/krb5kdc, in two machines, which contains
:
host/master.domain.test
host/slave1.domain.test

On each machines all ports are open (for the test).
I have wrotten : kdb5_util dump /etc/krb5kdc/slavedump to do the copy
of database.
The slavedump file is created.

I have wrotten : kprop -f /etc/krb5kdc/slavedump slave1.domain.test
and at this moment the replication is not execute.

In the log file there is :
AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.254: ISSUE: authtime
1139502634, etypes {rep=16 tkt=16 ses=16},
host/master.domain.test at DOMAIN.TEST for
host/slave1.domain.test at DOMAIN.TEST

I have launched the command : strace -o error kprop -f
/etc/krb5kdc/slavedump slave1.domain.test and there is :
...
getsockname(4, {sa_family=AF_INET, sin_port=htons(34782),
sin_addr=inet_addr("192.168.1.254")}, [16]) = 0
write(4, "\0\0\0\23", 4)                = 4
write(4, "KRB5_SENDAUTH_V1.0\0", 19)    = 19
write(4, "\0\0\0\n", 4)                 = 4
write(4, "kprop5_01\0", 10)             = 10
read(4, 0xbffff89b, 1)                  = ? ERESTARTSYS (To be
restarted)
--- SIGINT (Interrupt) @ 0 (0) ---
+++ killed by SIGINT +++

There is my config files in the master KDC :

<<<<<<< krb5.conf >>>>>>>>

[libdefaults]
default_realm = DOMAIN.TEST
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
default = FILE:/var/log/kadm.log
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmd.log
[realms]
DOMAIN.TEST = {
        kdc = MASTER.DOMAIN.TEST:88
        kdc = SLAVE1.DOMAIN.TEST:754
        admin_server = MASTER.DOMAINE.TEST
        default_domain = DOMAIN.TEST
}
[domain_realm]
        .domain.test = DOMAIN.TEST
        domain.test = DOMAIN.TEST

<<<<<<< kdc.conf >>>>>>>
[kdcdefaults]
    kdc_ports = 88,754
    acl_file = /etc/krb5kdc/kadm5.acl
    admin_keytab = /etc/krb5kdc/kadm5.keytab

[realms]
    DOMAIN.TEST = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        profile = /etc/krb5.conf
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 88,754
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth
    }

There is my config files in the slave KDC :

<<<<<<< krb5.conf >>>>>>>
[logging]
 default = FILE:/var/log/kerberos/krb5libs.log
 kdc = FILE:/var/log/kerberos/krb5kdc.log
 admin_server = FILE:/var/log/kerberos/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = DOMAIN.TEST
 default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
 permitted_enctypes = des3-hmac-sha1 des-cbc-crc
 dns_lookup_realm = false
 dns_lookup_kdc = false
 kdc_req_checksum_type = 2
 checksum_type = 2
 ccache_type = 1
 forwardable = true
 proxiable = true

[realms]
 DOMAIN.TEST = {
  kdc = MASTER.DOMAIN.TEST:88
  kdc = SLAVE1.DOMAIN.TEST:754
  admin_server = MASTER.DOMAIN.TEST
  default_domain = DOMAIN.TEST
 }

[domain_realm]
 .domain.test = DOMAIN.TEST
 domain.test = DOMAIN.TEST

[kdc]
 profile = /etc/kerberos/krb5kdc/kdc.conf

<<<<<<<<< kdc.conf >>>>>>>>>>>
[kdcdefaults]
 kdc_ports = 754,88
 acl_file = /etc/kerberos/krb5kdc/kadm5.acl
 dict_file = /usr/share/dict/words
 admin_keytab = /etc/kerberos/krb5kdc/kadm5.keytab

[realms]
 DOMAIN.TEST = {
  master_key_type = des3-hmac-sha1
  supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
des-cbc-crc:v4 des-cbc-crc:afs3
  profile = /etc/krb5.conf
  database_name = /etc/kerberos/krb5kdc/principal
  admin_database_name = /etc/kerberos/krb5kdc/kadm5_adb
  admin_database_lockfile = /etc/kerberos/krb5kdc/kadm5_adb.lock
  admin_keytab = FILE:/etc/kerberos/krb5kdc/kadm5.keytab
  acl_file = /etc/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  key_stash_file = /etc/kerberos/krb5kdc/.k5stash
  kdc_ports = 88,754
  kadmind_port = 754
  max_life = 10h 0m 0s
  max_renewable_life = 7d 0h 0m 0s
 }

I'm used the ssh to manage two machines.

I don't understand and i'm trying to find since one week.
Maybe you can help me, i hope.

Thank you.

More information about the Kerberos mailing list