problem sending initial data to slave Kerberos server
Tom Yu
tlyu at MIT.EDU
Wed Jan 29 17:44:46 EST 2014
Greg Hudson <ghudson at MIT.EDU> writes:
> My guess is that the failure is coming from rd_safe or rd_priv, since
> rd_req can't produce an AP_ERR_BAD_INTEGRITY error at this point (it
> produces AP_WRONG_PRINC instead). But I'm not sure what would cause a
> decryption or checksum failure for a KRB-SAFE or KRB-PRIV message, to be
> honest. A NAT between master and slave could cause an AP_ERR_BADADDR
> error, but we're not seeing that.
I'm fairly sure it's coming from rd_req (via recvauth) in the kpropd.
The "signalled from server" text from kprop that accompanies "during
sendauth" only happens if there's a non-generic error code in the
KRB-ERROR from the server's recvauth.
> The fact that you need host/slave and host/slave.rutgers.edu principals
> is troubling, but is most likely just a confounding variable, not the
> cause of this particular problem.
That might depend on the krb5 version on the slave.
More information about the Kerberos
mailing list