Wallet/remctld: Wrong principal in request

Andreas Ntaflos daff at pseudoterminal.org
Fri Oct 26 22:23:01 EDT 2012


On 2012-10-27 03:41, Russ Allbery wrote:
> When you do a klist after you run wallet, what principal shows up in your
> local ticket cache?  It's not the same principal as is in /etc/krb5.keytab
> on the remote system.
> 
> Usually this means that there's something wrong with your DNS resolution.
> Something isn't matching somewhere.

Thank you for the hint, I now get it (and should have know it)!

This confusion is the result of our running two auth servers in an
active/passive cluster setup: auth01.example.com and auth02.example.com
with a floating/virtual IP address that resolves from/to the service
address auth.example.com.

This way all services on the network can simply use auth.example.com as
the single point of contact and we can run OpenLDAP, Kerberos and
saslauthd (for LDAP authentication pass-through to Kerberos) more highly
available.

In my original post I tried to abstract those seemingly unnecessary
details but that did not do much good.

For saslauthd to work there must be a host-specific principal in
/etc/krb5.keytab, i.e. host/auth01.example.com or
host/auth02.example.com, but for wallet/remctld to work there needs to
be one for the service address as well, i.e. host/auth.example.com.

The latter is what was missing, so I added it to /etc/krb5.keytab on
each of the two auth servers and now those simple wallet tests seem to
work as expected.

But do I have to fear any negative consequences after adding more than
one host principal to /etc/krb5.keytab? Will this break anything? Is it
even "legal" to do?

Thanks again,

Andreas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20121027/821c8ef9/attachment.bin


More information about the Kerberos mailing list