Mike Dopheide wrote: > > My first guess is that the slave KDC doesn't have a host/ entry in the > principal database (and in it's krb5.keytab). Check your kerberos logs > and see if you're getting a client not found error for > host/rapanui.ph.ic.ac.uk
Many thanks for this - it wasn't host/rapanui.ph.ic.ac.uk but host/localhost.localdomain (i.e. the requesting host) that was the problem. Adding this to the principal database (& extracting it to keytabs on both master & slave) fixed the immediate problem. However: a) I'd rather not have a host/localhost.localdomain principal. How should I ensure that the requesting host uses its proper name? b) I've now encountered another problem: kprop -d -r PH.IC.AC.UK -f test_kerb_slave_db rapanui.ph.ic.ac.uk gives kprop: Decrypt integrity check failed while getting initial ticket I found this thread: http://mailman.mit.edu/pipermail/kerberos/2006-July/010082.html & discovered a key number mismatch on the master. Curiously, it seems that on adding host/localhost.localdomain, its kvno was 4, but the first time I extracted it, its kvno was 3. Is this normal/correct? Anyway, I fixed that, but then got this error: kprop: Server rejected authentication (during sendauth exchange) while authenticating to server Generic remote error: Key version number for principal in key table is incorrect I tried to fix this by extracting the key to the slave keytab: after this I was back to the original error: kprop: Decrypt integrity check failed while getting initial ticket At this point, on the master, the kvno matches in keytab & main database; but it doesn't on the slave. I can't see how to fix this, since each extraction seems to +1 to the kvno. However, kinit as host/localhost.localdomain, using the relevant keytab, works on both master & slave. I'm kind of stuck at this point! Any suggestions would be much appreciated! Regards, Juliet -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + Ms Juliet Kemp + + Computer Manager [EMAIL PROTECTED] + + Astrophysics Group + + Imperial College Tel: +44 (0)20759 47538 + + London. SW7 2AZ Fax: +44 (0)20759 47541 + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
