Stash file problems

Edward Murrell edward at dlconsulting.com
Mon Feb 12 15:54:32 EST 2007 

Hi all,

I've run into some problems with a KDC slave that's started giving me
grief out of the blue.

System (bender) is Debian testing, x86. Krb5 packages are all 1.4.4-6.

The master KDC (becks) is Ubuntu 6.06 (LTS) running KRB5, with Krb5
packages 1.4.3-5ubuntu0.2. The master KDC also feeds another slave KDC
(vulcan) also running Ubuntu 6.06 with KRB5 1.4.3-5ubuntu0.2.

--

The slave KDC (bender) was working perfectly. The KDC appears to have
fallen over without any warning whatsoever. I can still login via GSSAPI
on SSH, and if I disable the local KDC, it defaults to one of the
backups, and everything works perfectly, so it's not the local libraries.

The following appears in the kdc.log

Feb 12 08:43:15 bender krb5kdc[15900](info): AS_REQ (3 etypes {16 1 3})
69.60.121.195: NEEDED_PREAUTH: edward at DLCONSULTING.COM for
krbtgt/DLCONSULTING.COM at DLCONSULTING.COM, Additional pre-authentication
required
Feb 12 08:43:15 bender krb5kdc[15900](info): AS_REQ (3 etypes {16 1 3})
69.60.121.195: ISSUE: authtime 1171222995, etypes {rep=16 tkt=16
ses=16}, edward at DLCONSULTING.COM for
krbtgt/DLCONSULTING.COM at DLCONSULTING.COM

Feb 12 16:10:17 bender krb5kdc[15900](info): AS_REQ (3 etypes {16 1 3})
69.60.121.195: CLIENT_NOT_FOUND: edward at DLCONSULTING.COM for
krbtgt/DLCONSULTING.COM at DLCONSULTING.COM, Client not found in Kerberos
database

So it's working, and then eight hours later, my principal doesn't exist
anymore!

Since then, I've reinstalled the krb5-kdc packages and their supporting
libraries, just in case.

Now, when I try to recreate the stash key I get the following error;

bender:/etc/krb5kdc# kdb5_util stash -f /etc/krb5kdc/stash
kdb5_util: No such entry in the database while retrieving master entry

I've tried forcing the database to be propergated from the master
(successfully), and creating the stash key manually and copying it from
the master. When I do this, and try to start the KDC, I get the
following error;

krb5kdc: Cannot find master key record in database - while verifying
master key for realm DLCONSULTING.COM

So now I'm confused. This should work. Anyone got any ideas?

Cheers
Edward

More information about the Kerberos mailing list