Back channel replication
Karen McArthur
kmcarthu at bates.edu
Thu Oct 3 11:22:01 EDT 2013
I have a master KDC running on Linux with replication to 2 slaves working
fine, so I have set up replication before. I have recently acquired an
offsite DR location where I would like to replicate to a third slave. My
communication to the offsite machine is through a private back channel
interface (10.x.x.x) called ns3-int.fqdn (The machine's public interface
in known as ns3.fqdn with a public IP).
The slave hostname command resolves to the public name ns3, not the private
name ns3-int
I have set up my keytab file with keys to both host/ns.fqdn and
host/ns-int.fqdn
I have placed the ns-int name and IP in @ns3-int:/etc/hosts.
I receive the following when trying to run kprop:
/usr/kerberos/sbin/kprop -f /var/kerberos/krb5kdc/slave_datatrans -d
ns3-int.fqdn
/usr/kerberos/sbin/kprop: Server rejected authentication (during sendauth
exchange) while authenticating to server
/usr/kerberos/sbin/kprop: Decrypt integrity check failed signalled from
server
Error text from server: Decrypt integrity check failed
Any ideas how I can get replication to work in these conditions? Only
host/ns-int.fqdn exists in kpropd.acl, When I put host/ns.fqdn there, same
error.
--
Karen R McArthur, Systems Administrator
ILS, Bates College, Lewiston, ME USA
(207) 786-8236 FAX (207) 786-6057
NEVER share your password. No one (not even ILS) has a legitimate reason
to ask for it.
More information about the Kerberos
mailing list