principal~.kadm5 & C.

Greg Hudson ghudson at MIT.EDU
Wed Jul 16 10:54:12 EDT 2014 

On 07/16/2014 10:08 AM, Giuseppe Mazza wrote:
[trying to kprop from krb5 1.4 to krb5 1.12 and it hangs]
> - I have read your archive. Apparently some people had a similar problem.
>   It seems to me that they were using two versions of Kerberos that were
>   too different... Well, it sounds familiar :-)

I'm not aware of any kprop incompatibilities between 1.4 and 1.12.
Where in the mail archive did you run across other people having a
similar problem?

> - Any idea how to solve the above problem?

I don't really know what has gone wrong at this point.  The ubuntu 14.04
slave received a connection and received 2.2M of dump data.  So, some
investigative steps:

* On the master, run "kdb5_util dump somefilename".  Is the result a
2.2M file or a larger file?  If it's a larger file, the transfer is
getting stuck.  If it's a 2.2M file, the database is being transferred
and the slave is getting stuck processing it.

* On the slave, look for kdb5_util processes.  If there is a "kdb5_util
load" process running, then the slave is stuck loading the dump file.
If not, then kpropd is stuck in some other fashion.

* If there is a kdb5_util load process, strace it ("strace -p pid") to
find out what system call it is blocking on, or what sequence of system
calls it is repeating.  You could also try installing the libkrb5-dbg
package and gdb attaching to the process to get a stack trace.

* If there isn't a kdb5_util load process, there is presumably a kpropd
process.  Do one of the above to the kpropd process to try to figure out
what it's stuck on.

> If you think that the two kerberos versions are too different, can you
> think a different strategy to solve the problem?

kprop and kpropd are basically a glorified way to "kdb5_util dump" on
the master and "kdb5_util load" on the slave.  You could try making a
dump file on the master, transferring it to the slave via scp or
similar, and loading it on the slave.  You might have the same issues,
but that would at least help narrow down what's going wrong.  You could
also run kdb5_util load with -verbose, or even run it under a debugger,
both of which are much more difficult when kpropd is doing it.

More information about the Kerberos mailing list