I'm stumped. I still think there's something inconsistent with the hostname, /etc/hosts, and/or DNS, but I'm not sure what else to suggest.
-Mike > Mike Dopheide wrote: >> >> Hhmm.. okay. First of all, you don't want to have the same keys in >> krb5.keytab on both systems. A system should really only have keys for >> itself and any services it provides (like host/hostname, ftp/hostname, >> etc). > > Ah, right, OK. Misapprehension there on my part; I'm still getting to grips > with Kerberos. > > I've now managed to fix the initial identity/key problems, by appropriate > removing/recreating of principals so I now have > > host/elysium.ph.ic.ac.uk in the master keytab, > host/rapanui.ph.ic.ac.uk in the slave keytab > & both with KVNO that match the database. > > The issue I'm now having is this error in the slave logs: > > kpropd: Incorrect net address while decoding database size from client > > I was hoping that this was related to the identity issue below, but I've now > resolved that, so it seems not (unless it's another subtle difference? e.g. > the ticket having a 127.0.0.1 address? Might that happen?). The only > reference I can find in the list archives is to a multihoming issue, which > doesn't apply here. > > [ Solution to identity problem is below, for reference ] > > Thanks very much for all the help given so far! Thoughts on the latest > stalling point welcome. > > > Regards, > Juliet > > >> But first you need to fix the identity crisis your server is having. > > hostname was returning correct; and /etc/hosts had: > > 155.198.204.57 elysium.ph.ic.ac.uk elysium > 127.0.0.1 localhost.localdomain localhost elysium > > Googling revealed some discussion on the Debian lists about this (the > standard Debian ordering) being the wrong order ( > http://lists.debian.org/debian-devel/2005/10/msg00387.html ), as a result of > which I've now replaced that last line with > > 127.0.0.1 localhost localhost.localdomain elysium > > which works. host/localhost.localdomain principal has now been removed. > > >> >> The master should have it's host/master.ph.ic.ac.uk in it's >> /etc/krb5.keytab and the slave should have host/rapanui.ph.ic.ac.uk. The >> slave should also have a kpropd.acl with just the text >> "host/master.ph.ic.ac.uk", not the actual key. >> >> Hopefully that will get you further. >> >> -Mike >> >>> Mike Dopheide wrote: >>>> >>>> My first guess is that the slave KDC doesn't have a host/ entry in the >>>> principal database (and in it's krb5.keytab). Check your kerberos logs >>>> and see if you're getting a client not found error for >>>> host/rapanui.ph.ic.ac.uk >>> >>> Many thanks for this - it wasn't host/rapanui.ph.ic.ac.uk but >>> host/localhost.localdomain (i.e. the requesting host) that was the >>> problem. >>> >>> Adding this to the principal database (& extracting it to keytabs on >>> both master & slave) fixed the immediate problem. However: >>> >>> a) I'd rather not have a host/localhost.localdomain principal. How >>> should I ensure that the requesting host uses its proper name? >>> >>> b) I've now encountered another problem: >>> kprop -d -r PH.IC.AC.UK -f test_kerb_slave_db rapanui.ph.ic.ac.uk >>> gives >>> kprop: Decrypt integrity check failed while getting initial ticket >>> >>> I found this thread: >>> http://mailman.mit.edu/pipermail/kerberos/2006-July/010082.html >>> >>> & discovered a key number mismatch on the master. Curiously, it seems >>> that on adding host/localhost.localdomain, its kvno was 4, but the first >>> time I extracted it, its kvno was 3. Is this normal/correct? Anyway, I >>> fixed that, but then got this error: >>> >>> kprop: Server rejected authentication (during sendauth exchange) while >>> authenticating to server >>> Generic remote error: Key version number for principal in key table is >>> incorrect >>> >>> I tried to fix this by extracting the key to the slave keytab: after >>> this I was back to the original error: >>> >>> kprop: Decrypt integrity check failed while getting initial ticket >>> >>> At this point, on the master, the kvno matches in keytab & main >>> database; but it doesn't on the slave. I can't see how to fix this, >>> since each extraction seems to +1 to the kvno. >>> >>> However, kinit as host/localhost.localdomain, using the relevant keytab, >>> works on both master & slave. >>> >>> I'm kind of stuck at this point! Any suggestions would be much >>> appreciated! >>> >>> >>> Regards, >>> Juliet > > -- > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > + Ms Juliet Kemp + > + Computer Manager [EMAIL PROTECTED] + > + Astrophysics Group + > + Imperial College Tel: +44 (0)20759 47538 + > + London. SW7 2AZ Fax: +44 (0)20759 47541 + > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
