Help with replication
Bill MacAllister
bill at ca-zephyr.org
Mon Jul 18 13:47:09 EDT 2022
On 2022-07-17 21:03, Ken Hornstein wrote:
>
>> [27738] 1658108981.225629: Received error from KDC: -1765328377/Server
>> not found in Kerberos database
>
> Which suggests you did not (although it wasn't from the primary KDC,
> which
> suggests that maybe whatever KDC you used didn't have it replicated
> yet).
> The KDC logs should explain what went wrong.
The KDC logs revealed that indeed the principal did not exist. I had
updated
the krb5.conf to use a cname for the admin principal and kpropd is using
the
entry in the krb5.conf without canonicalization. I changed the
krb5.conf
file to use host names that matched the principals that I had created.
That
along with making sure kadm5.acl and kpropd.acl had the appropriate
entries
solved my problem. Thanks for the pointer. (Who would have thought to
look
in the logs? Certainly now me.)
I am a bit surprised that the cnames in the krb5.conf file were the
problem.
I would like to use a common krb5.conf file everywhere deployed by our
configuration management processes. I guess one what would be to create
principals for the cnames. Seems a bit unclean. Or just have a unique
krb5.conf for kdc systems.
Thanks again Greg and Ken for the help. My head was getting sore from
pounding against that wall.
Bill
--
Bill MacAllister <bill at ca-zephyr.org>
"Can't sing louder than the guns when I'm gone,
so I guess I'll have to do it while I'm here."
Phil Ochs
More information about the Kerberos
mailing list