Help with replication

Bill MacAllister bill at ca-zephyr.org
Sat Jul 16 05:00:04 EDT 2022 

I am having problems with replication on a second replica that I am 
setting
up.  The second replica looks like the first as far as I can tell, but
I am seeing kdb5-kpropd service failures.  I can kdb5_util dump and load
the database from the master to the new replica just fine, but I am 
seeing
the following errors when I start up krb5-kpropd.

2022-07-16T08:17:57.049587+00:00 kdc-iad-1 kpropd[630]: 
/usr/sbin/kpropd: Key table entry not found while initializing 
/usr/sbin/kpropd interface, retrying
2022-07-16T08:18:00.385533+00:00 kdc-iad-1 kpropd[630]: 
/usr/sbin/kpropd: Key table entry not found while initializing 
/usr/sbin/kpropd interface, retrying

The DNS entries for both that master and the slave look fine to me.  The
/etc/krb5.keytab on the slave looks fine and it seems to work fine when
I use it to access other services, e.g our ldap servers.

This is a stock Ubuntu 18.04 system with krb5-kdc 1.16 installed.  I 
know
this is ancient at this point, but I would really like to understand 
what
is happening here before I bit off an upgrade.

Here is my kdc.conf.

[kdcdefaults]
     kdc_ports = 88

[realms]
     MYREALM.COM = {
         kdc_ports        = 88
         kadmind_port     = 749
         iprop_enable     = true
         iprop_port       = 2121
         iprop_slave_pool = 1m
         database_name    = /var/lib/krb5kdc/db/principal
         admin_keytab     = FILE:/etc/krb5kdc/kadm5.keytab
         acl_file         = /etc/krb5kdc/kadm5.acl
         key_stash_file   = /etc/krb5kdc/stash
         max_life           = 25h 0m 0s
         max_renewable_life = 7d 0h 0m 0s
         master_key_type    = aes256-cts-hmac-sha1-96
         supported_enctypes = aes256-cts-hmac-sha1-96:normal 
aes128-cts-hmac-sha1-96:normal arcfour-hmac
:normal des3-hmac-sha1:normal
         default_principal_flags = +preauth
     }

[logging]
     kdc          = FILE:/var/lib/krb5kdc/log/kdc.log
     admin_server = FILE:/var/lib/krb5kdc/log/kadmin.log

What am I missing?  What should I be looking at?

Bill

-- 
Bill MacAllister <bill at ca-zephyr.org>

"Can't sing louder than the guns when I'm gone,
so I guess I'll have to do it while I'm here."
Phil Ochs

More information about the Kerberos mailing list