kpropd fails on multihomed KDCs set up according to FAQ - Kerberos

This is a discussion on kpropd fails on multihomed KDCs set up according to FAQ - Kerberos ; I have scoured the internet for information on this error and found what should be the answer in the Kerberos FAQ, only it still isn't working. I'm running from kdc1: /usr/krb5/sbin/kdb5_util dump /usr/krb5/lib/krb5kdc/slave_datatrans then: /usr/krb5/sbin/kprop -f /usr/krb5/lib/krb5kdc/slave_datatrans kdc2.mydomain.com The error ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: kpropd fails on multihomed KDCs set up according to FAQ

  1. kpropd fails on multihomed KDCs set up according to FAQ

    I have scoured the internet for information on this error and found what should
    be the answer in the Kerberos FAQ, only it still isn't working.

    I'm running from kdc1:

    /usr/krb5/sbin/kdb5_util dump /usr/krb5/lib/krb5kdc/slave_datatrans

    then:

    /usr/krb5/sbin/kprop -f /usr/krb5/lib/krb5kdc/slave_datatrans kdc2.mydomain.com

    The error is:

    /usr/krb5/sbin/kprop: Server rejected authentication (during sendauth exchange)
    while authenticating to server
    /usr/krb5/sbin/kprop: Incorrect net address signalled from server
    Error text from server: Incorrect net address

    I configured my DNS with the multi-homed hosts in mind as directed by Subject
    2.14 of the Kerberos FAQ v2.0, using the "multiple address records per host"
    scheme that the author recommends. Output of the 'dig' command on both kdc1
    and kdc2 shows all 3 addresses for each host pointing to the same hostname:

    ;; ANSWER SECTION:
    kdc1.mydomain.com. 1D IN A 10.1.1.98
    kdc1.mydomain.com. 1D IN A 10.1.1.99
    kdc1.mydomain.com. 1D IN A 10.1.1.101

    ;; ANSWER SECTION:
    kdc2.mydomain.com. 1D IN A 10.1.1.102
    kdc2.mydomain.com. 1D IN A 10.1.1.103
    kdc2.mydomain.com. 1D IN A 10.1.1.104

    The reverse lookup records are all there as well and 'dig' confirms each one
    matches the above forward lookup entries.

    I'm using Solaris 9. I know that I've confined the problem to the multihoming
    because if I remove multihoming on kdc1 and re-try the replication, it works
    fine. Does anyone know what I might be doing wrong?.

    Thanks and best regards,

    -Michael
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: kpropd fails on multihomed KDCs set up according to FAQ

    On Jun 24, 2005, at 16:27, Michael Marziani wrote:
    > I'm using Solaris 9. I know that I've confined the problem to the
    > multihoming
    > because if I remove multihoming on kdc1 and re-try the replication, it
    > works
    > fine. Does anyone know what I might be doing wrong?.


    I believe it's a kprop bug, not a problem in how you've set up your
    system. (Yes, kprop, not kpropd; the kprop side puts addresses into a
    message to be sent, and the server side correctly notices that the
    sender address included is not the address the sender is actually
    using, and rejects it.)

    Ken

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: kpropd fails on multihomed KDCs set up according to FAQ

    >/usr/krb5/sbin/kprop: Server rejected authentication (during sendauth exchange)
    >while authenticating to server
    >/usr/krb5/sbin/kprop: Incorrect net address signalled from server
    >Error text from server: Incorrect net address


    Hm. DNS really shouldn't affect things in this way (usually the problem
    lies with resolving hostnames for the service principal name).

    Based on these error messages, the server is rejecting the AP_REQ that
    the client sends to it, based on the IP address in it. The IP address(es)
    in the AP_REQ come from the IP addresses that the client detects that
    the host has (the client walks the interface list and for every interface
    it finds, it adds it to the AP_REQ).

    It seems to me that however you're doing multihoming, the Kerberos
    client code isn't detecting the additional interfaces correctly. Are
    these "real" additional interfaces, or are they aliases or virtual
    interfaces? If they're aliases, then I would guess that's the
    problem. That's probably a bug ... but if that's the problem, I'd ask
    why you're doing multihoming that way, because if they're on the same
    network, you won't gain any reliability (IMHO).

    --Ken
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: kprop fails on multihomed KDCs set up according to FAQ (solved)

    Many thanks to the people that helped me with this.

    After a few dead ends I decided to just compile the MIT code on my Solaris 9
    box and see if the kprop included with that would work. Turns out it worked
    just fine, and communicated with the Sun SEAM KDCs with no problems. I'm not
    sure at what point Sun forked MIT's code but it's happy now and I really
    appreciate the quick response by the people on this list.

    I'm going to stick around and see what help I may be to other users.

    Thanks again,

    -Michael


    --- Ken Hornstein wrote:

    > >/usr/krb5/sbin/kprop: Server rejected authentication (during sendauth

    > exchange)
    > >while authenticating to server
    > >/usr/krb5/sbin/kprop: Incorrect net address signalled from server
    > >Error text from server: Incorrect net address

    >
    > Hm. DNS really shouldn't affect things in this way (usually the problem
    > lies with resolving hostnames for the service principal name).
    >
    > Based on these error messages, the server is rejecting the AP_REQ that
    > the client sends to it, based on the IP address in it. The IP address(es)
    > in the AP_REQ come from the IP addresses that the client detects that
    > the host has (the client walks the interface list and for every interface
    > it finds, it adds it to the AP_REQ).
    >
    > It seems to me that however you're doing multihoming, the Kerberos
    > client code isn't detecting the additional interfaces correctly. Are
    > these "real" additional interfaces, or are they aliases or virtual
    > interfaces? If they're aliases, then I would guess that's the
    > problem. That's probably a bug ... but if that's the problem, I'd ask
    > why you're doing multihoming that way, because if they're on the same
    > network, you won't gain any reliability (IMHO).
    >
    > --Ken
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: kprop fails on multihomed KDCs set up according to FAQ (solved)

    On Mon, Jun 27, 2005 at 12:06:20PM -0700, Michael Marziani wrote:
    > Many thanks to the people that helped me with this.
    >
    > After a few dead ends I decided to just compile the MIT code on my Solaris 9
    > box and see if the kprop included with that would work. Turns out it worked
    > just fine, and communicated with the Sun SEAM KDCs with no problems. I'm not
    > sure at what point Sun forked MIT's code but it's happy now and I really
    > appreciate the quick response by the people on this list.


    If you want this problem fixed in the bundled Solaris 9 kprop you should
    open a bug. Note that in Solaris 10 we added a number of enhancements
    to the bundled Kerberos which may be more to your liking. You can read
    more about this in the online Solaris System Admin Guide: Security
    Services:
    http://docs.sun.com/app/docs/doc/816...erberos&a=view

    (look for the Kerberos Enhancements in the Solaris 10 Release section)

    --
    Will Fiveash
    Sun Microsystems Inc.
    Austin, TX, USA (TZ=CST6CDT)
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread