kprop between master (solaris) and slave (mandriva)

Douglas E. Engert deengert at anl.gov
Fri Apr 11 10:46:02 EDT 2008



Marcin N wrote:
> Hello
> I would like to make replication between two hosts with different OS's - 
> solaris as master and mandriva as slave.

And different versions of Kerberos too. It look like the solaris master
is the vendor provided Solaris 10 Kerberos. The mandriva slave looks like
some variant of MIT 1.4.2.

They both may store configuration files in different locations.
Solaris tends to use /etc/krb5. Check both sets on man pages.

Both kprop and kpropd have -d options in both Solairs and MIT.


> 
> On master everything seems to be OK.
> So on slave I initialized databases
> kdb5_util create -r NET.COM -s
> 
> On both sides I run
> kpropd -S
> 
> On both sides krb5.conf looks like:
> ===============================================
> [libdefaults]
>          default_realm = NET.COM
> [realms]
>           NET.COM = {
>                  admin_server = master0
>                  kdc = master0
>                  kdc = slave
>                  master_kdc = master0

Host names including the KDC, should be FQDN.

>          }
> [domain_realm]
>          .net.com = NET.COM
>          net.com = NET.COM
> [logging]
>          default = FILE:/var/krb5/kdc.log
>          kdc = FILE:/var/krb5/kdc.log
> ===============================================
> kpropd.acl
> 
> host/slave.net.com at NET.COM
> host/master0.net.com at NET.COM
> host/master0 at NET.COM
> host/slave
> host/master0
> 
> there are entries for both hosts in krb database on both sides as well, 
> I even turn off firewall on both sides to check...
> 
> and when I try to propagate data
> /usr/lib/krb5/kprop -d -f krb5.dump slave.net.com
> 
> there is error:
> /usr/lib/krb5/kprop: Server rejected authentication (during sendauth 
> exchange) while authenticating to server
> Generic remote error: Wrong principal in request



> 
> in kdc.log on master
> Apr 11 15:24:01 master0 krb5kdc[24492](info): AS_REQ (5 etypes {17 16 23 
> 3 1}) 192.168.5.5: NEEDED_PREAUTH: host/master0 at NET.COM for 
> host/slave.net.com at NET.COM, Additional pre-authentication required
> Apr 11 15:24:01 master0 krb5kdc[24492](info): AS_REQ (5 etypes {17 16 23 
> 3 1}) 192.168.5.5: ISSUE: authtime 1207920241, etypes {rep=17 tkt=17 
> ses=17}, host/master0 at NET.COM for host/slave.net.com at NET.COM
> 
> I read somewhere that I need to copy krb5.keytab from master to slave - 
> and I did and it didn't help.
> 
> Maybe it's due to differences in software?!
> on solaris I have installed packets from CD:
> svcadm enable svc:/network/security/krb5kdc
> svcadm enable svc:/network/security/krb5_prop
> svcadm enable svc:/network/security/kadmin
> 
> on mandriva via urpmi
> krb5-workstation-1.4.2-2.2.20060mdk
> libkrb53-1.4.2-2.2.20060mdk
> krb5-server-1.4.2-2.2.20060mdk
> 
> Thank You in advance for any help
> 
> Regards
> nichu
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list