Back channel replication

Karen McArthur kmcarthu at bates.edu
Thu Oct 3 11:22:01 EDT 2013


I have a master KDC running on Linux with replication to 2 slaves working
fine, so I have set up replication before.  I have recently acquired an
offsite DR location where I would like to replicate to a third slave.  My
communication to the offsite machine is through a private back channel
interface (10.x.x.x) called ns3-int.fqdn  (The machine's public interface
in known as ns3.fqdn with a public IP).

The slave hostname command resolves to the public name ns3, not the private
name ns3-int

I have set up my keytab file with keys to both host/ns.fqdn and
host/ns-int.fqdn
I have placed the ns-int name and IP in @ns3-int:/etc/hosts.

I receive the following when trying to run kprop:

/usr/kerberos/sbin/kprop -f /var/kerberos/krb5kdc/slave_datatrans -d
ns3-int.fqdn
/usr/kerberos/sbin/kprop: Server rejected authentication (during sendauth
exchange) while authenticating to server
/usr/kerberos/sbin/kprop: Decrypt integrity check failed signalled from
server
Error text from server: Decrypt integrity check failed

Any ideas how I can get replication to work in these conditions?  Only
host/ns-int.fqdn exists in kpropd.acl,  When I put host/ns.fqdn there, same
error.

--
Karen R McArthur, Systems Administrator
ILS, Bates College, Lewiston, ME USA
(207) 786-8236   FAX (207) 786-6057

NEVER share your password.  No one (not even ILS) has a legitimate reason
to ask for it.


More information about the Kerberos mailing list