setting up a slave KDC on a working krb5 realm

Damo Gets dgetsman at
Tue Apr 1 14:56:42 EDT 2008

Trying to enable a slave KDC on a realm that I have working well with
kerberosV so far.  Master KDC is on a ubuntu 7.10 server machine; the
slave KDC that I want to replicate to is a OpenSuSE 10.3 machine.

Both machines have kprop.acl installed in what appear to be the
correct places.  On the ubuntu machine this is '/etc/krb5kdc/
kpropd.acl' and on the OpenSuSE machine I installed it in '/var/lib/
kerberos/krb5kdc/kpropd.acl' (where it appears it should go) and '/usr/
local/var/krb5kdc/kpropd.acl' as it said this was the default in the
manpage, just in case it was looking there.  Both machines have 754 in
services enabled for krb5_prop, kpropd is installed and running, etc.

I use kdb5_util dump ./tmp/slavedump and that seems to work fine on my
master KDC:
-rw------- 1 root root 11359 2008-04-01 13:22 slavedump
-rw------- 1 root root     1 2008-04-01 13:22 slavedump.dump_ok

The problem comes when I try to replicate it:
root at kerb-ldap:~/tmp# kprop -f ./slavedump

and I receive the following error:
kprop: Server rejected authentication (during sendauth exchange) while
authenticating to server
Generic remote error: Wrong principal in request

So it looks like it's connecting and all, but something is wrong with
the hosts' principals in the keytabs, maybe?  I'm really not sure,
here.  The only thing that I know about the /etc/keytab files is that
for a given host 'x.y.z' I am to extract the 'host/x.y.z' key on that
particular machine through kadmin after it has been generated as a
random key on the kadmin server.  As far as this, things are correct;
the kdc has the kdc's host/ at MYREALM.COM, and the slave
has the slave's host/ at MYREALM.COM in the respective

Any ideas?  Many thanks in advance.

-Damon Getsman

More information about the Kerberos mailing list