Trying to enable a slave KDC on a realm that I have working well with kerberosV so far. Master KDC is on a ubuntu 7.10 server machine; the slave KDC that I want to replicate to is a OpenSuSE 10.3 machine.
Both machines have kprop.acl installed in what appear to be the correct places. On the ubuntu machine this is '/etc/krb5kdc/ kpropd.acl' and on the OpenSuSE machine I installed it in '/var/lib/ kerberos/krb5kdc/kpropd.acl' (where it appears it should go) and '/usr/ local/var/krb5kdc/kpropd.acl' as it said this was the default in the manpage, just in case it was looking there. Both machines have 754 in services enabled for krb5_prop, kpropd is installed and running, etc. I use kdb5_util dump ./tmp/slavedump and that seems to work fine on my master KDC: -rw------- 1 root root 11359 2008-04-01 13:22 slavedump -rw------- 1 root root 1 2008-04-01 13:22 slavedump.dump_ok The problem comes when I try to replicate it: [EMAIL PROTECTED]:~/tmp# kprop -f ./slavedump my-slave-kdc.ouah.net and I receive the following error: kprop: Server rejected authentication (during sendauth exchange) while authenticating to server Generic remote error: Wrong principal in request So it looks like it's connecting and all, but something is wrong with the hosts' principals in the keytabs, maybe? I'm really not sure, here. The only thing that I know about the /etc/keytab files is that for a given host 'x.y.z' I am to extract the 'host/x.y.z' key on that particular machine through kadmin after it has been generated as a random key on the kadmin server. As far as this, things are correct; the kdc has the kdc's host/[EMAIL PROTECTED], and the slave has the slave's host/[EMAIL PROTECTED] in the respective keytabs. Any ideas? Many thanks in advance. -Damon Getsman ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
