I have a kerberos master running version 7.1. I am attempting to replicate to slaves some of which run version 7.1 and some of which run version 1.5.2.

PROBLEM: Some of the principals will not replicate.

If I go on the master and change the password of one of these problematic principals, I see this in the replica's logs:

--------------------------------------------------------------
(version 1.5.2)
2018-06-15T21:17:47 replaying entry 131870
2018-06-15T21:17:47 kadm5_log_replay: 131870. Lost entry entry, Database out of sync ?: No such entry in the database (36150275)
2018-06-15T21:17:47 Ignoring command 8

(version 7.1)
2018-06-15T14:17:47.138560-07:00 kdc-test1 ipropd-slave[18033]: slave status change: up-to-date with version: 131870 at 2018-06-15T14:17:47
--------------------------------------------------------------

In both cases, the principal is not in either replica's database. That is, using a 'get' command returns "Principal does not exist".

On the master, the principal looks like this:
--------------------------------------------------------------
           Principal: xffers...@stanford.edu
    Principal expires: never
     Password expires: 2019-06-15 21:17:47 UTC
 Last password change: 2018-06-15 21:17:47 UTC
      Max ticket life: 1 day 1 hour
   Max renewable life: 1 week
                 Kvno: 7
                Mkvno: unknown
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2018-06-15 21:17:47 UTC
             Modifier: kadmin/ad...@stanford.edu
           Attributes: disallow-svr, requires-pre-auth
Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[7], aes128-cts-hmac-sha1-96(pw-salt)[7], des3-cbc-sha1(pw-salt)[7], arcfour-hmac-md5(pw-salt)[7]
          PK-INIT ACL:
              Aliases:
--------------------------------------------------------------

One extra piece of information. The master's database came by hprop'ing to it from a 1.5.2 master.


QUESTION: What could be a reason for this principal not to replicate?



Adam Lewenberg

Reply via email to