Replica KDC has no support for encryption type
Dr. Lars Hanke
debian at lhanke.de
Fri Feb 4 02:19:42 EST 2022
I want to set up a replicated Kerberos server on a different site. The
original Kerberos with LDAP backend (ldapi:///) is running for more than
a decade. So I cloned the LXC container with Kerberos and LDAP and
instantiated it on the new site just adapting host names, certificates,
etc. This apparently worked provided the database was not changed of
course. For that reason I set up the new LDAP as a syncprov replication
of the original one also using Kerberos for authentication. The
configuration of the KDC remained unchanged. This also worked e.g. I see
the principals created on the original server on the replica KDC.
By setting the 'kdc' for the realm in '/etc/krb5.conf' I can now select,
which KDC to use. Using tickets from the original KDC I can authenticate
users to both LDAP servers. I can use the new KDC to authenticate users
to the original LDAP server, BUT using the new KDC to obtain a ticket
for the new LDAP I get:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC has no support for encryption type)
Checking the ticket cache with 'klist -e' I cannot see any difference
which KDC I used. The TGT can be obtained from either server.
Logging 'slapd' I found that LDAP is accessed for the TGT, but not for
the service ticket - same for both installations. So at the first glance
it seems unrelated to LDAP. I did a 'service krb5-kdc restart' after
LDAP replication was up and running.
Kerberos 1.17 and OpenLDAP 2.4.47 are current Debian 10. I wanted to
upgrade to bullseye as soon as the system is running.
Any ideas what is happening?
Thanks for your help,
- lars.
More information about the Kerberos
mailing list