[Fwd: Re: kprop problem: Bad response (during sendauth exchange)]

Shivakeshav Santi ss488 at cornell.edu
Mon Jun 20 11:01:03 EDT 2005 


---------------------------- Original Message ----------------------------
Subject: Re: kprop problem:  Bad response (during sendauth exchange) From:
   "Shivakeshav Santi" <ss488 at cornell.edu>
Date:    Mon, June 20, 2005 9:10 am
To:      "Mike Friedman" <mikef at ack.Berkeley.EDU>
--------------------------------------------------------------------------

Hi Mike,

    Thanks for a detailed explanation.  Following your suggestion, I
removed the host entries from slave kdc.

I created the host principals on just master kdc. Started kadmin on slave
and extracted the keytab to slave.

But I still get the same error.

Thank you for your time.
keshav
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Fri, 17 Jun 2005 at 17:42 (-0400), Shivakeshav Santi wrote:
>
>>     Here is what I did on slave kdc:
>> 1) Created both master and slave host principals .
>> 2) used the ktadd command to create the keytab for slave's host principal.
>> 3) Created the kpropd.acl with both master and slave principal entries.
4) Made changes to inetd.conf
>>
>>     Here is what I did on master kdc:
>> 1) Created both master and slave host principals .
>> 2) used the ktadd command to create the keytab for master's host
principal.
>> 3) Created the kpropd.acl with both master and slave principal entries.
4) Made changes to inetd.conf
>
> Did you actually use kadmin.local on the *slave* to create host
principals in the slave KDC?  You shouldn't be doing that.  All updates
to the KDC must be done to the *master* KDC.
>
> First of all, only the slave's hostkey and keytab info are needed by
kprop.  It's good to set up both master and slave symmetrically in case
you ever want to convert a slave to a master, but at any given time,
only the slave's host keytab is used by the kprop/kpropd process. 
Hence, in what follows, I'll talk only about the slave host principal
and key.
>
> In this case, what might (and probably did) happen is this:
>
> o  You manually created a slave host principal directly in the slave KDC.
>
> o You populated the slave's keytab from the slave KDC, by running
kadmin.local on the slave and using the 'ktadd' subcommand.  (I misspoke
in my earlier posting;  when I said 'ktutil' I meant 'ktadd').
>
> o You then went to the master and added the slave's principal there as
well.  This wound up with a different random key than the one in the
slave KDC.  So, already, the slave host key in the master KDC is not in
agreement with what's in the keytab file on the slave.
>
> Now, when you run kprop on the master, it goes to the *master* KDC to
get a service ticket for the slave host principal.  This will be
encrypted in the current key of the slave host principal, *as it appears
in the master KDC*.  When kprop sends this service ticket (via sendauth)
to kpropd on the slave, the latter won't be able to decrypt it using the
information in the slave's keytab file, because that information was
based on the key you had created manually on the slave, hence the
failure.
>
> Instead, you should do all creating of host keys (and anything else, for
that matter) on the master KDC.  Then, start kadmind on the master. This
will allow you to run the kadmin client on the slave to download the
keytab info (using the 'ktadd' subcommand) from the *master* KDC to the
slave.
>
> I hope this is clear.
>
> Mike
>
> _____________________________________________________________________
Mike Friedman                   System and Network Security
> mikef at ack.Berkeley.EDU          2484 Shattuck Avenue
> 1-510-642-1410                  University of California at Berkeley
http://ack.Berkeley.EDU/~mikef  http://security.berkeley.edu
> _____________________________________________________________________
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
>
> iQA/AwUBQrNVxa0bf1iNr4mCEQLrFQCfb/W/RfbVnVtCpz2raH9xi87nvUkAoOXB
WgqkigSCDm1DQkRkxhl4kxT4
> =ezJ1
> -----END PGP SIGNATURE-----
>


-- 
Shivakeshav Santi

Programmer Analyst/Senior

Cornell Information Technologies
120 Maple Avenue
Cornell University
Tel :6072551916(O)

Ability may get you to the top, but only character will keep you there .....






-- 
Shivakeshav Santi

Programmer Analyst/Senior

Cornell Information Technologies
120 Maple Avenue
Cornell University
Tel :6072551916(O)

Ability may get you to the top, but only character will keep you there .....

More information about the krbdev mailing list