problem sending initial data to slave Kerberos server

Greg Hudson ghudson at MIT.EDU
Wed Jan 29 15:59:48 EST 2014


On 01/29/2014 01:44 PM, Dave Steiner wrote:
> I'm havin problems adding a slave to an existing test cluster.

kpropd should be syslogging at LOG_ERROR; finding the relevant syslog
should help figure out what step is failing.  The failure might be
coming from rd_req during authentication, or rd_safe during transmission
of the size, or rd_priv during transmission of the database contents.
Whatever it is, it seems to be causing an AP_ERR_BAD_INTEGRITY code
getting sent sent back from kpropd to kprop.

My guess is that the failure is coming from rd_safe or rd_priv, since
rd_req can't produce an AP_ERR_BAD_INTEGRITY error at this point (it
produces AP_WRONG_PRINC instead).  But I'm not sure what would cause a
decryption or checksum failure for a KRB-SAFE or KRB-PRIV message, to be
honest.  A NAT between master and slave could cause an AP_ERR_BADADDR
error, but we're not seeing that.

The fact that you need host/slave and host/slave.rutgers.edu principals
is troubling, but is most likely just a confounding variable, not the
cause of this particular problem.


More information about the Kerberos mailing list