Need slave server, no master key

Christian chanlists at googlemail.com
Sun Oct 23 16:06:40 EDT 2011


All,

I have a machine running 1.6.1 (on x86_64) and would like to add a slave 
machine under 1.8.3 (debian squeeze, x86). Unfortunately, the stash file 
from the master does not work on the slave. I get:

Unable to decrypt latest master key with the provided master key  - 
while fetching master keys list for realm OUR_REALM

I thought this should only happen between architectures with different 
endianess???

I currently do not have the KDC master key, so I thought I could do

kdb5_util dump -mkey_convert dumpfile
kdb5_util load dumpfile
kdb5_util stash

That seemed to work. I got the slave up and running, kprop works, I can 
kinit both to the master and to the slave, use aklog and afs, etc... But 
now kadmin gives me:

kadmin gss-api or kerberos error while initializing kadmin interface

kadmin.local works, though. I don't know if this could be related to

http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=6546

Any help would be great!

For reference, the 1.6.1 machine (master) has the following kdc.conf:

[kdcdefaults]
kdc_ports = 88

[realms]
  OUR.REALM = {
   master_key_type = des3-hmac-sha1
   acl_file = /var/kerberos/krb5kdc/kadm5.acl
   dict_file = /usr/share/dict/words
   admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
   supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal 
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal  
des-cbc-crc:v4 des-cbc-crc:afs3
   max_life = 24h
   max_renewable_life = 7d
}

The 1.8.3 machine (slave) has the following kdc.conf:

[kdcdefaults]
  kdc_ports = 88

[realms]
  OUR.REALM = {
   master_key_type = des3-hmac-sha1
   supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal 
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal 
des-cbc-crc:v4 des-cbc-crc:afs3
   max_life = 24h
   max_renewable_life = 7d
  }

Thanks,

Christian





More information about the Kerberos mailing list