Help with replication

Russ Allbery eagle at eyrie.org
Mon Jul 18 15:34:16 EDT 2022


Bill MacAllister <bill at ca-zephyr.org> writes:

> The KDC logs revealed that indeed the principal did not exist.  I had
> updated the krb5.conf to use a cname for the admin principal and kpropd
> is using the entry in the krb5.conf without canonicalization.  I changed
> the krb5.conf file to use host names that matched the principals that I
> had created.  That along with making sure kadm5.acl and kpropd.acl had
> the appropriate entries solved my problem.  Thanks for the pointer.
> (Who would have thought to look in the logs?  Certainly now me.)

Is this the thing where kpropd always uses exactly the hostname you have
listed and doesn't do any DNS canonicalization?  If so, I've run into that
before and I think I just put keys for all of the principals that could be
formed from all the possible replica names in the keytab file for the
replicas and my recollection is that worked, although it's been a few
years.

> I guess one what would be to create principals for the cnames.

Right, yeah, that.  Similar to what we had to do with LDAP servers.

-- 
Russ Allbery (eagle at eyrie.org)             <https://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list