problem sending initial data to slave Kerberos server
Dave Steiner
steiner at oit.rutgers.edu
Wed Jan 29 13:44:41 EST 2014
[I posted this to the comp.protocols.kerberos newsgroup but don't see it in the
mailing list archives. Please forgive it this gets duplicated. -ds]
I'm havin problems adding a slave to an existing test cluster. The output is
slightly sanitized. I've researched this and can't find out what I'm missing.
The keytabs have the correct kvnos. trace and debug mode on the kpropd don't
seem to show anything wrong. What do I need to check that I'm missing?
master$ /usr/local/kerberos/sbin/kprop -r REALM -d -P 754 -f slave_datatrans
slave.rutgers.edu <http://slave.rutgers.edu>
/usr/local/kerberos/sbin/kprop: Server rejected authentication (during sendauth
exchange) while authenticating to server
/usr/local/kerberos/sbin/kprop: Decrypt integrity check failed signalled from
server
Error text from server: Decrypt integrity check failed
master$ /usr/local/kerberos/bin/ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 4 host/master at REALM
2 7 host/master.rutgers.edu at REALM
slave$ /usr/local/kerberos/bin/ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 host/slave at REALM
2 2 host/slave.rutgers.edu at REALM
I need both of these entries due to the way out Unix support sets up the
hostname. The "resolve" test program doesn't find any issues.
master$ /usr/local/kerberos/sbin/kadmin.local -r REALM
Authenticating as principal krbadm/admin at REALM with password.
kadmin.local: getprinc host/slave
Principal: host/slave at REALM
Expiration date: [never]
Last password change: Tue Jan 28 17:13:06 EST 2014
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Jan 28 17:13:06 EST 2014 (krbadm/admin at REALM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 2, des-cbc-crc, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default
kadmin.local: getprinc host/slave.rutgers.edu <http://slave.rutgers.edu>
Principal: host/slave.rutgers.edu at REALM
Expiration date: [never]
Last password change: Tue Jan 28 17:13:06 EST 2014
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Jan 28 17:13:06 EST 2014 (krbadm/admin at REALM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 2, des-cbc-crc, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default
kadmin.local: getprinc host/master
Principal: host/master at REALM
Expiration date: [never]
Last password change: Tue Jan 28 18:52:10 EST 2014
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Jan 28 18:52:10 EST 2014 (krbadm/admin at REALM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 4, des-cbc-crc, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default
kadmin.local: getprinc host/master.rutgers.edu <http://master.rutgers.edu>
Principal: host/master.rutgers.edu at REALM
Expiration date: [never]
Last password change: Tue Jan 28 18:52:10 EST 2014
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Jan 28 18:52:10 EST 2014 (krbadm/admin at REALM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 7, des-cbc-crc, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default
kpropd running on the slave:
/usr/local/kerberos/sbin/kpropd -r REALM -f /u01/krb/data/REALM/from_master -F
/u01/krb/data/REALM/principal -P 754 -S -d
debug output from kpropd:
Connection from master.rutgers.edu <http://master.rutgers.edu>
krb5_recvauth(6, kprop5_01, host/slave at REALM, ...)
Database load process for full propagation completed.
waiting for a kprop connection
trace output from kpropd:
[4318] 1390947375.656260: Convert service host (service with host as instance)
on host (null) to principal
[4318] 1390947375.657065: Remote host after forward canonicalization: slave
[4318] 1390947375.657102: Remote host after reverse DNS processing: slave
[4318] 1390947375.657114: Get host realm for slave
[4318] 1390947375.657131: Use local host slave to get host realm
[4318] 1390947375.657140: Look up slave in the domain_realm map
[4318] 1390947375.657155: Got realm for host slave
[4318] 1390947375.657201: Got service principal host/slave@
[4319] 1390947385.303114: Retrieving host/slave at REALM from FILE:/etc/krb5.keytab
(vno 2, enctype des-cbc-crc) with result: 0/Success
[5029] 1390947902.449116: Retrieving host/slave at REALM from FILE:/etc/krb5.keytab
(vno 2, enctype des-cbc-crc) with result: 0/Success
[5046] 1390947929.179913: Retrieving host/slave at REALM from FILE:/etc/krb5.keytab
(vno 2, enctype des-cbc-crc) with result: 0/Success
[8676] 1390950188.191260: Retrieving host/slave at REALM from FILE:/etc/krb5.keytab
(vno 2, enctype des-cbc-crc) with result: 0/Success
[8831] 1390950354.193759: Retrieving host/slave at REALM from FILE:/etc/krb5.keytab
(vno 2, enctype des-cbc-crc) with result: 0/Success
[12984] 1390952933.79323: Retrieving host/slave at REALM from FILE:/etc/krb5.keytab
(vno 2, enctype des-cbc-crc) with result: 0/Success
[13422] 1390953199.426489: Retrieving host/slave at REALM from
FILE:/etc/krb5.keytab (vno 2, enctype des-cbc-crc) with result: 0/Success
Thanks for any help!
-ds
More information about the Kerberos
mailing list