Re: kprop trouble.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John Hascall wrote: | Show us the kdc.conf on your machines... Sure. On the master (elwing): # cat /etc/krb5kdc/kdc.conf [kdcdefaults] ~kdc_ports = 88,750 [realms] ~SLUGGARDY.NET = { ~database_name = /etc/krb5kdc/principal ~admin_keytab = /etc/krb5kdc/kadm5.keytab ~acl_file = /etc/krb5kdc/kadm5.acl ~dict_file = /etc/krb5kdc/kadm5.dict ~key_stash_file = /etc/krb5.keytab ~kadmind_port = 749 ~max_life = 12h 0m 0s ~max_renewable_life = 7d 0h 0m 0s ~master_key_type = des3-hmac-sha1 ~supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal ~} On the slave (mithrandir): # cat /etc/krb5kdc/kdc.conf [kdcdefaults] ~kdc_ports = 88,750 [realms] ~SLUGGARDY.NET = { ~database_name = /etc/krb5kdc/principal ~admin_keytab = /etc/krb5kdc/kadm5.keytab ~acl_file = /etc/krb5kdc/kadm5.acl ~dict_file = /etc/krb5kdc/kadm5.dict ~key_stash_file = /etc/krb5.keytab ~kadmind_port = 749 ~max_life = 12h 0m 0s ~max_renewable_life = 7d 0h 0m 0s ~master_key_type = des3-hmac-sha1 ~supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal ~} There are a couple of things that I have been kicking around in my head that may be causing the trouble. Will kprop work properly if the slave KDC is behind a NATing firewall? I can't think of a reason why it should matter, but I thought I would check. I have the master KDC behind a non NATing firewall, but the slave is in my home NATed network. Could this be the problem? If I get a chance I may try moving the machine in front of the firewall and see if that makes a difference. Thanks for any help, I really appreciate it. I love what I have seen of Kerberos so far and would really like to get it working properly. - -Nick -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAewWtWRxj7DCRpGURAig0AKCZ2iq30yG1er7WL/R1PlXOxxy45gCgoiLz 4blHoEWS4SCFAaUb7aZ8xu4= =m5dr -END PGP SIGNATURE- Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kprop trouble.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John Hascall wrote: |There are a couple of things that I have been kicking around in my head |that may be causing the trouble. Will kprop work properly if the slave |KDC is behind a NATing firewall? I can't think of a reason why it should |matter, but I thought I would check. | | | Yes, NAT matters to Kerberos! The authentication (by default) | contains the IP address which is verified. You can add additional | addresses or ask for addressless tickets through your krb5.conf | configfile (addressless is the default in the latest versions). Right, but does any other part of the protocol for kprop rely on not being NATed? My kpropd gets past the authentication step, as I turned on addressless tickets by default when I did the initial setup. It errors out recieving the database size, which made me wonder if there was something else going on. I will try moving the slave out in front of the firewall though and report back on what I find. It looks like I may have to dig through the kprop code to figure this one out though. Thanks for your help, - -Nick -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAe1AmWRxj7DCRpGURApUQAKC8zAYDAKGmkRPv16esL9l+9HqXYgCgysN0 b4t60DCai+KHbpKeteMBbHQ= =Xthg -END PGP SIGNATURE- Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kprop trouble.
nick == Nick Palmer [EMAIL PROTECTED] writes: nick Right, but does any other part of the protocol for kprop rely on nick not being NATed? My kpropd gets past the authentication step, as nick I turned on addressless tickets by default when I did the nick initial setup. It errors out recieving the database size, which nick made me wonder if there was something else going on. I will try nick moving the slave out in front of the firewall though and report nick back on what I find. It looks like I may have to dig through the nick kprop code to figure this one out though. KRB-SAFE and KRB-PRIV messages (used in kprop) need to have a correct sender's network addresses in them in order to protect from reflection attacks. NATs can interfere with this. ---Tom Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kprop trouble.
Show us the kdc.conf on your machines... John -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To reply to myself with more details, I have attempted to do the same thing with mit-krb5-1.3.1 and have the exact same problem, which just goes to show that either I am doing something wrong, or it is broken in both versions. Thanks in advance for any advice, - -Nick -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAd6OVWRxj7DCRpGURAt5XAJ9BN7arkTHICKYu8F7cisH7FVD1ZQCg3PZK 63YAqtk9b3evKkZW/TFnynY= =hG/G -END PGP SIGNATURE- Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kprop trouble.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To reply to myself with more details, I have attempted to do the same thing with mit-krb5-1.3.1 and have the exact same problem, which just goes to show that either I am doing something wrong, or it is broken in both versions. Thanks in advance for any advice, - -Nick -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAd6OVWRxj7DCRpGURAt5XAJ9BN7arkTHICKYu8F7cisH7FVD1ZQCg3PZK 63YAqtk9b3evKkZW/TFnynY= =hG/G -END PGP SIGNATURE- Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos