setting up a slave KDC on a working krb5 realm
Damo Gets
dgetsman at amirehab.net
Tue Apr 1 14:56:42 EDT 2008
Trying to enable a slave KDC on a realm that I have working well with
kerberosV so far. Master KDC is on a ubuntu 7.10 server machine; the
slave KDC that I want to replicate to is a OpenSuSE 10.3 machine.
Both machines have kprop.acl installed in what appear to be the
correct places. On the ubuntu machine this is '/etc/krb5kdc/
kpropd.acl' and on the OpenSuSE machine I installed it in '/var/lib/
kerberos/krb5kdc/kpropd.acl' (where it appears it should go) and '/usr/
local/var/krb5kdc/kpropd.acl' as it said this was the default in the
manpage, just in case it was looking there. Both machines have 754 in
services enabled for krb5_prop, kpropd is installed and running, etc.
I use kdb5_util dump ./tmp/slavedump and that seems to work fine on my
master KDC:
-rw------- 1 root root 11359 2008-04-01 13:22 slavedump
-rw------- 1 root root 1 2008-04-01 13:22 slavedump.dump_ok
The problem comes when I try to replicate it:
root at kerb-ldap:~/tmp# kprop -f ./slavedump my-slave-kdc.ouah.net
and I receive the following error:
kprop: Server rejected authentication (during sendauth exchange) while
authenticating to server
Generic remote error: Wrong principal in request
So it looks like it's connecting and all, but something is wrong with
the hosts' principals in the keytabs, maybe? I'm really not sure,
here. The only thing that I know about the /etc/keytab files is that
for a given host 'x.y.z' I am to extract the 'host/x.y.z' key on that
particular machine through kadmin after it has been generated as a
random key on the kadmin server. As far as this, things are correct;
the kdc has the kdc's host/myhost.mine.com at MYREALM.COM, and the slave
has the slave's host/myslave.mine.com at MYREALM.COM in the respective
keytabs.
Any ideas? Many thanks in advance.
-Damon Getsman
More information about the Kerberos
mailing list