kprop problem

Tue May 13 09:52:02 EDT 2008

Hello again
Kerberos database replication is probably too hard for me :>

Now I'm trying to do it between to mandriva hosts..
I compiled krb-1.6.3 and I read documentation step-by-step ...

I did rather everything like in doc..

My config files:
krb5.conf
[libdefaults]
         default_realm = KRB.COM

[realms]
          KRB.COM = {
                 admin_server = com1.krb.com
                 kdc = com1.krb.com
                 kdc = com2.krb.com
                 default_domain = krb.com
         }

[domain_realm]
         .krb.com = KRB.COM
         krb.com = KRB.COM

[logging]
  default = FILE:/var/log/kerberos/krb5libs.log
  kdc = FILE:/var/log/kerberos/krb5kdc.log
  admin_server = FILE:/var/log/kerberos/kadmind.log

[kdc]
  profile = /usr/local/var/krb5kdc/kdc.conf
===========================================================================

Here is my first questions :
does krb5.conf should be the same on both machines?
Maybe admin_server should be set on master on both sides,
the order of kdc's should be the same on both machines?
or only one should be set in the file (which?) ?

===========================================================================

kdc.conf:
[kdcdefaults]
         kdc_ports = 88
         acl_file = /usr/local/var/krb5kdc/kadm5.acl
         dict_file = /usr/share/dict/words
         admin_keytab = /usr/local/var/krb5kdc/kadm5.keytab

[realms]
      KRB.COM = {
                 profile = /etc/krb5.conf
                 max_life = 8h 0m 0s
                 max_renewable_life = 7d 0h 0m 0s
                 default_principal_flags = +preauth
                 master_key_type = des3-hmac-sha1
                 supported_enctypes = des3-hmac-sha1:normal 
des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
                 database_name = /usr/local/var/krb5kdc/principal
                 admin_database_name = /usr/local/var/krb5kdc/kadm5_adb
                 admin_database_lockfile = 
/usr/local/var/krb5kdc/kadm5_adb.lock
                 admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
                 acl_file = /usr/local/var/krb5kdc/kadm5.acl
                 dict_file = /usr/share/dict/words
                 key_stash_file = /usr/local/var/krb5kdc/.k5stash
                 kdc_ports = 88
                 kadmind_port = 749
                 max_life = 10h 0m 0s
                 max_renewable_life = 7d 0h 0m 0s
         }

===========================================================================

My next question is about:
4.1.2.3 Set Up the Slave KDCs for Database Propagation

      krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd
      eklogin   stream tcp nowait root /usr/local/sbin/klogind
      => klogind -k -c -e

I don't use inetd - so I executed kpropd and klogind by hand (on both 
machines):
kpropd -S
klogind -f

is it ok?

Now when I execute /usr/local/sbin/kprop -f 
/usr/local/var/krb5kdc/slave_datatrans ns1.krb.com

there is error

/usr/local/sbin/kprop: Server rejected authentication (during sendauth 
exchange) while authenticating to server
Generic remote error: Wrong principal in request

on log there is only:
May 13 15:37:59 com2 krb5kdc[4799](info): AS_REQ (7 etypes {18 17 16 23 
1 3 2}) 192.168.111.109: ISSUE: authtime 1210685879, etypes {rep=16 
tkt=16 ses=16}, host/com2.krb.com at KRB.COM for host/com1.krb.com at KRB.COM

so it's the same error as in solaris :/
I'm really confused ..