Mike Dopheide wrote: > > Hhmm.. okay. First of all, you don't want to have the same keys in > krb5.keytab on both systems. A system should really only have keys for > itself and any services it provides (like host/hostname, ftp/hostname, > etc).
Ah, right, OK. Misapprehension there on my part; I'm still getting to grips with Kerberos. I've now managed to fix the initial identity/key problems, by appropriate removing/recreating of principals so I now have host/elysium.ph.ic.ac.uk in the master keytab, host/rapanui.ph.ic.ac.uk in the slave keytab & both with KVNO that match the database. The issue I'm now having is this error in the slave logs: kpropd: Incorrect net address while decoding database size from client I was hoping that this was related to the identity issue below, but I've now resolved that, so it seems not (unless it's another subtle difference? e.g. the ticket having a 127.0.0.1 address? Might that happen?). The only reference I can find in the list archives is to a multihoming issue, which doesn't apply here. [ Solution to identity problem is below, for reference ] Thanks very much for all the help given so far! Thoughts on the latest stalling point welcome. Regards, Juliet > But first you need to fix the identity crisis your server is having. hostname was returning correct; and /etc/hosts had: 155.198.204.57 elysium.ph.ic.ac.uk elysium 127.0.0.1 localhost.localdomain localhost elysium Googling revealed some discussion on the Debian lists about this (the standard Debian ordering) being the wrong order ( http://lists.debian.org/debian-devel/2005/10/msg00387.html ), as a result of which I've now replaced that last line with 127.0.0.1 localhost localhost.localdomain elysium which works. host/localhost.localdomain principal has now been removed. > > The master should have it's host/master.ph.ic.ac.uk in it's > /etc/krb5.keytab and the slave should have host/rapanui.ph.ic.ac.uk. > The slave should also have a kpropd.acl with just the text > "host/master.ph.ic.ac.uk", not the actual key. > > Hopefully that will get you further. > > -Mike > >> Mike Dopheide wrote: >>> >>> My first guess is that the slave KDC doesn't have a host/ entry in the >>> principal database (and in it's krb5.keytab). Check your kerberos logs >>> and see if you're getting a client not found error for >>> host/rapanui.ph.ic.ac.uk >> >> Many thanks for this - it wasn't host/rapanui.ph.ic.ac.uk but >> host/localhost.localdomain (i.e. the requesting host) that was the >> problem. >> >> Adding this to the principal database (& extracting it to keytabs on >> both master & slave) fixed the immediate problem. However: >> >> a) I'd rather not have a host/localhost.localdomain principal. How >> should I ensure that the requesting host uses its proper name? >> >> b) I've now encountered another problem: >> kprop -d -r PH.IC.AC.UK -f test_kerb_slave_db rapanui.ph.ic.ac.uk >> gives >> kprop: Decrypt integrity check failed while getting initial ticket >> >> I found this thread: >> http://mailman.mit.edu/pipermail/kerberos/2006-July/010082.html >> >> & discovered a key number mismatch on the master. Curiously, it seems >> that on adding host/localhost.localdomain, its kvno was 4, but the first >> time I extracted it, its kvno was 3. Is this normal/correct? Anyway, I >> fixed that, but then got this error: >> >> kprop: Server rejected authentication (during sendauth exchange) while >> authenticating to server >> Generic remote error: Key version number for principal in key table is >> incorrect >> >> I tried to fix this by extracting the key to the slave keytab: after >> this I was back to the original error: >> >> kprop: Decrypt integrity check failed while getting initial ticket >> >> At this point, on the master, the kvno matches in keytab & main >> database; but it doesn't on the slave. I can't see how to fix this, >> since each extraction seems to +1 to the kvno. >> >> However, kinit as host/localhost.localdomain, using the relevant keytab, >> works on both master & slave. >> >> I'm kind of stuck at this point! Any suggestions would be much >> appreciated! >> >> >> Regards, >> Juliet -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + Ms Juliet Kemp + + Computer Manager [EMAIL PROTECTED] + + Astrophysics Group + + Imperial College Tel: +44 (0)20759 47538 + + London. SW7 2AZ Fax: +44 (0)20759 47541 + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
