Problem with kerberos and backup
francK.costes@wanadoo.fr
francK.costes at wanadoo.fr
Fri Feb 10 08:54:01 EST 2006
Hi all,
my name is franck, i am french student, and i must do a backup kerberos
for me.
I'm following Kerberos -The Definitive Guide- (official book) and the
Kerberos V5 System Administrator's Guide.
(i'm confused for my english mistakes).
My master KDC is a Debian Linux (192.168.1.254) and my slave KDC is a
Mandrake (192.168.1.253).
Kadmin in master KDC is ok.
Kadmin in slave KDC is ok.
(when i add the slave's machine in kadmin in slave KDC, this
information is broadcast in the kadmin in master KDC so there is a
transfert between this two machines).
I created kpropd.acl in /etc/krb5kdc, in two machines, which contains
:
host/master.domain.test
host/slave1.domain.test
On each machines all ports are open (for the test).
I have wrotten : kdb5_util dump /etc/krb5kdc/slavedump to do the copy
of database.
The slavedump file is created.
I have wrotten : kprop -f /etc/krb5kdc/slavedump slave1.domain.test
and at this moment the replication is not execute.
In the log file there is :
AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.254: ISSUE: authtime
1139502634, etypes {rep=16 tkt=16 ses=16},
host/master.domain.test at DOMAIN.TEST for
host/slave1.domain.test at DOMAIN.TEST
I have launched the command : strace -o error kprop -f
/etc/krb5kdc/slavedump slave1.domain.test and there is :
...
getsockname(4, {sa_family=AF_INET, sin_port=htons(34782),
sin_addr=inet_addr("192.168.1.254")}, [16]) = 0
write(4, "\0\0\0\23", 4) = 4
write(4, "KRB5_SENDAUTH_V1.0\0", 19) = 19
write(4, "\0\0\0\n", 4) = 4
write(4, "kprop5_01\0", 10) = 10
read(4, 0xbffff89b, 1) = ? ERESTARTSYS (To be
restarted)
--- SIGINT (Interrupt) @ 0 (0) ---
+++ killed by SIGINT +++
There is my config files in the master KDC :
<<<<<<< krb5.conf >>>>>>>>
[libdefaults]
default_realm = DOMAIN.TEST
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
default = FILE:/var/log/kadm.log
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmd.log
[realms]
DOMAIN.TEST = {
kdc = MASTER.DOMAIN.TEST:88
kdc = SLAVE1.DOMAIN.TEST:754
admin_server = MASTER.DOMAINE.TEST
default_domain = DOMAIN.TEST
}
[domain_realm]
.domain.test = DOMAIN.TEST
domain.test = DOMAIN.TEST
<<<<<<< kdc.conf >>>>>>>
[kdcdefaults]
kdc_ports = 88,754
acl_file = /etc/krb5kdc/kadm5.acl
admin_keytab = /etc/krb5kdc/kadm5.keytab
[realms]
DOMAIN.TEST = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
profile = /etc/krb5.conf
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 88,754
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
There is my config files in the slave KDC :
<<<<<<< krb5.conf >>>>>>>
[logging]
default = FILE:/var/log/kerberos/krb5libs.log
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.TEST
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
permitted_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = false
dns_lookup_kdc = false
kdc_req_checksum_type = 2
checksum_type = 2
ccache_type = 1
forwardable = true
proxiable = true
[realms]
DOMAIN.TEST = {
kdc = MASTER.DOMAIN.TEST:88
kdc = SLAVE1.DOMAIN.TEST:754
admin_server = MASTER.DOMAIN.TEST
default_domain = DOMAIN.TEST
}
[domain_realm]
.domain.test = DOMAIN.TEST
domain.test = DOMAIN.TEST
[kdc]
profile = /etc/kerberos/krb5kdc/kdc.conf
<<<<<<<<< kdc.conf >>>>>>>>>>>
[kdcdefaults]
kdc_ports = 754,88
acl_file = /etc/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /etc/kerberos/krb5kdc/kadm5.keytab
[realms]
DOMAIN.TEST = {
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
des-cbc-crc:v4 des-cbc-crc:afs3
profile = /etc/krb5.conf
database_name = /etc/kerberos/krb5kdc/principal
admin_database_name = /etc/kerberos/krb5kdc/kadm5_adb
admin_database_lockfile = /etc/kerberos/krb5kdc/kadm5_adb.lock
admin_keytab = FILE:/etc/kerberos/krb5kdc/kadm5.keytab
acl_file = /etc/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
key_stash_file = /etc/kerberos/krb5kdc/.k5stash
kdc_ports = 88,754
kadmind_port = 754
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
I'm used the ssh to manage two machines.
I don't understand and i'm trying to find since one week.
Maybe you can help me, i hope.
Thank you.
More information about the Kerberos
mailing list