Problems with kpropd - Kerberos

This is a discussion on Problems with kpropd - Kerberos ; Hi, I have a working Kerberos master server, and am attempting to set up replication via kpropd. I've followed the steps in the MIT documentation, but then from this command: kprop -f test_kerb_slave_db rapanui.ph.ic.ac.uk I get output: kprop: Cannot resolve ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Problems with kpropd

  1. Problems with kpropd

    Hi,

    I have a working Kerberos master server, and am attempting to set up
    replication via kpropd.

    I've followed the steps in the MIT documentation, but then from this
    command:

    kprop -f test_kerb_slave_db rapanui.ph.ic.ac.uk

    I get output:

    kprop: Cannot resolve network address for KDC in requested realm while
    getting initial ticket


    Adding the realm, as follows:

    kprop -r PH.IC.AC.UK -f test_kerb_slave_db rapanui.ph.ic.ac.uk

    gives:

    kprop: Client not found in Kerberos database while getting initial ticket

    Adding the keytab location with -s /etc/krb5.keytab doesn't help (same
    error about 'Client not found...').


    Any suggestions as to what might be wrong or how I can get more
    information? I'm running version 1.4.3-8 on Debian stable (sparc version)


    Many thanks,

    Juliet

    --
    ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++
    + Ms Juliet Kemp +
    + Computer Manager star@imperial.ac.uk +
    + Astrophysics Group +
    + Imperial College Tel: +44 (0)20759 47538 +
    + London. SW7 2AZ Fax: +44 (0)20759 47541 +
    ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Problems with kpropd


    My first guess is that the slave KDC doesn't have a host/ entry in the
    principal database (and in it's krb5.keytab). Check your kerberos logs
    and see if you're getting a client not found error for
    host/rapanui.ph.ic.ac.uk

    Other common propagation problems come from missing entries in kpropd.acl,
    the kpropd service not running on the slave, or the port being blocked
    with TCPwrappers or iptables

    -Mike

    > Hi,
    >
    > I have a working Kerberos master server, and am attempting to set up
    > replication via kpropd.
    >
    > I've followed the steps in the MIT documentation, but then from this
    > command:
    >
    > kprop -f test_kerb_slave_db rapanui.ph.ic.ac.uk
    >
    > I get output:
    >
    > kprop: Cannot resolve network address for KDC in requested realm while
    > getting initial ticket
    >
    >
    > Adding the realm, as follows:
    >
    > kprop -r PH.IC.AC.UK -f test_kerb_slave_db rapanui.ph.ic.ac.uk
    >
    > gives:
    >
    > kprop: Client not found in Kerberos database while getting initial ticket
    >
    > Adding the keytab location with -s /etc/krb5.keytab doesn't help (same
    > error about 'Client not found...').
    >
    >
    > Any suggestions as to what might be wrong or how I can get more
    > information? I'm running version 1.4.3-8 on Debian stable (sparc version)
    >
    >
    > Many thanks,
    >
    > Juliet
    >
    > --
    > ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++
    > + Ms Juliet Kemp +
    > + Computer Manager star@imperial.ac.uk +
    > + Astrophysics Group +
    > + Imperial College Tel: +44 (0)20759 47538 +
    > + London. SW7 2AZ Fax: +44 (0)20759 47541 +
    > ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Problems with kpropd

    Mike Dopheide wrote:
    >
    > My first guess is that the slave KDC doesn't have a host/ entry in the
    > principal database (and in it's krb5.keytab). Check your kerberos logs
    > and see if you're getting a client not found error for
    > host/rapanui.ph.ic.ac.uk


    Many thanks for this - it wasn't host/rapanui.ph.ic.ac.uk but
    host/localhost.localdomain (i.e. the requesting host) that was the problem.

    Adding this to the principal database (& extracting it to keytabs on
    both master & slave) fixed the immediate problem. However:

    a) I'd rather not have a host/localhost.localdomain principal. How
    should I ensure that the requesting host uses its proper name?

    b) I've now encountered another problem:
    kprop -d -r PH.IC.AC.UK -f test_kerb_slave_db rapanui.ph.ic.ac.uk
    gives
    kprop: Decrypt integrity check failed while getting initial ticket

    I found this thread:
    http://mailman.mit.edu/pipermail/ker...ly/010082.html

    & discovered a key number mismatch on the master. Curiously, it seems
    that on adding host/localhost.localdomain, its kvno was 4, but the first
    time I extracted it, its kvno was 3. Is this normal/correct? Anyway, I
    fixed that, but then got this error:

    kprop: Server rejected authentication (during sendauth exchange) while
    authenticating to server
    Generic remote error: Key version number for principal in key table is
    incorrect

    I tried to fix this by extracting the key to the slave keytab: after
    this I was back to the original error:

    kprop: Decrypt integrity check failed while getting initial ticket

    At this point, on the master, the kvno matches in keytab & main
    database; but it doesn't on the slave. I can't see how to fix this,
    since each extraction seems to +1 to the kvno.

    However, kinit as host/localhost.localdomain, using the relevant keytab,
    works on both master & slave.

    I'm kind of stuck at this point! Any suggestions would be much appreciated!


    Regards,
    Juliet

    --
    ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++
    + Ms Juliet Kemp +
    + Computer Manager star@imperial.ac.uk +
    + Astrophysics Group +
    + Imperial College Tel: +44 (0)20759 47538 +
    + London. SW7 2AZ Fax: +44 (0)20759 47541 +
    ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Problems with kpropd


    Hhmm.. okay. First of all, you don't want to have the same keys in
    krb5.keytab on both systems. A system should really only have keys for
    itself and any services it provides (like host/hostname, ftp/hostname,
    etc).

    So that's probably why you're seeing the key version number problem.
    Every time you run ktadd it's going to randomize the key before writing it
    out to the file.

    But first you need to fix the identity crisis your server is having. I'm
    guessing it doesn't have it's hostname set so it's defaulting to
    localhost. What does 'hostname' return? Your systems should think of
    themselves with a real hostnames and have those entries in /etc/hosts with
    the fqdn listed first. ie, for your slave:

    155.198.204.170 rapanui.ph.ic.ac.uk rapanui

    The master should have it's host/master.ph.ic.ac.uk in it's
    /etc/krb5.keytab and the slave should have host/rapanui.ph.ic.ac.uk. The
    slave should also have a kpropd.acl with just the text
    "host/master.ph.ic.ac.uk", not the actual key.

    Hopefully that will get you further.

    -Mike

    > Mike Dopheide wrote:
    >>
    >> My first guess is that the slave KDC doesn't have a host/ entry in the
    >> principal database (and in it's krb5.keytab). Check your kerberos logs
    >> and see if you're getting a client not found error for
    >> host/rapanui.ph.ic.ac.uk

    >
    > Many thanks for this - it wasn't host/rapanui.ph.ic.ac.uk but
    > host/localhost.localdomain (i.e. the requesting host) that was the problem.
    >
    > Adding this to the principal database (& extracting it to keytabs on
    > both master & slave) fixed the immediate problem. However:
    >
    > a) I'd rather not have a host/localhost.localdomain principal. How
    > should I ensure that the requesting host uses its proper name?
    >
    > b) I've now encountered another problem:
    > kprop -d -r PH.IC.AC.UK -f test_kerb_slave_db rapanui.ph.ic.ac.uk
    > gives
    > kprop: Decrypt integrity check failed while getting initial ticket
    >
    > I found this thread:
    > http://mailman.mit.edu/pipermail/ker...ly/010082.html
    >
    > & discovered a key number mismatch on the master. Curiously, it seems
    > that on adding host/localhost.localdomain, its kvno was 4, but the first
    > time I extracted it, its kvno was 3. Is this normal/correct? Anyway, I
    > fixed that, but then got this error:
    >
    > kprop: Server rejected authentication (during sendauth exchange) while
    > authenticating to server
    > Generic remote error: Key version number for principal in key table is
    > incorrect
    >
    > I tried to fix this by extracting the key to the slave keytab: after
    > this I was back to the original error:
    >
    > kprop: Decrypt integrity check failed while getting initial ticket
    >
    > At this point, on the master, the kvno matches in keytab & main
    > database; but it doesn't on the slave. I can't see how to fix this,
    > since each extraction seems to +1 to the kvno.
    >
    > However, kinit as host/localhost.localdomain, using the relevant keytab,
    > works on both master & slave.
    >
    > I'm kind of stuck at this point! Any suggestions would be much appreciated!
    >
    >
    > Regards,
    > Juliet
    >
    > --
    > ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++
    > + Ms Juliet Kemp +
    > + Computer Manager star@imperial.ac.uk +
    > + Astrophysics Group +
    > + Imperial College Tel: +44 (0)20759 47538 +
    > + London. SW7 2AZ Fax: +44 (0)20759 47541 +
    > ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: Problems with kpropd

    Mike Dopheide wrote:
    >
    > Hhmm.. okay. First of all, you don't want to have the same keys in
    > krb5.keytab on both systems. A system should really only have keys for
    > itself and any services it provides (like host/hostname, ftp/hostname,
    > etc).


    Ah, right, OK. Misapprehension there on my part; I'm still getting to
    grips with Kerberos.

    I've now managed to fix the initial identity/key problems, by
    appropriate removing/recreating of principals so I now have

    host/elysium.ph.ic.ac.uk in the master keytab,
    host/rapanui.ph.ic.ac.uk in the slave keytab
    & both with KVNO that match the database.

    The issue I'm now having is this error in the slave logs:

    kpropd: Incorrect net address while decoding database size from client

    I was hoping that this was related to the identity issue below, but I've
    now resolved that, so it seems not (unless it's another subtle
    difference? e.g. the ticket having a 127.0.0.1 address? Might that
    happen?). The only reference I can find in the list archives is to a
    multihoming issue, which doesn't apply here.

    [ Solution to identity problem is below, for reference ]

    Thanks very much for all the help given so far! Thoughts on the latest
    stalling point welcome.


    Regards,
    Juliet


    > But first you need to fix the identity crisis your server is having.


    hostname was returning correct; and /etc/hosts had:

    155.198.204.57 elysium.ph.ic.ac.uk elysium
    127.0.0.1 localhost.localdomain localhost elysium

    Googling revealed some discussion on the Debian lists about this (the
    standard Debian ordering) being the wrong order (
    http://lists.debian.org/debian-devel.../msg00387.html ), as a
    result of which I've now replaced that last line with

    127.0.0.1 localhost localhost.localdomain elysium

    which works. host/localhost.localdomain principal has now been removed.


    >
    > The master should have it's host/master.ph.ic.ac.uk in it's
    > /etc/krb5.keytab and the slave should have host/rapanui.ph.ic.ac.uk.
    > The slave should also have a kpropd.acl with just the text
    > "host/master.ph.ic.ac.uk", not the actual key.
    >
    > Hopefully that will get you further.
    >
    > -Mike
    >
    >> Mike Dopheide wrote:
    >>>
    >>> My first guess is that the slave KDC doesn't have a host/ entry in the
    >>> principal database (and in it's krb5.keytab). Check your kerberos logs
    >>> and see if you're getting a client not found error for
    >>> host/rapanui.ph.ic.ac.uk

    >>
    >> Many thanks for this - it wasn't host/rapanui.ph.ic.ac.uk but
    >> host/localhost.localdomain (i.e. the requesting host) that was the
    >> problem.
    >>
    >> Adding this to the principal database (& extracting it to keytabs on
    >> both master & slave) fixed the immediate problem. However:
    >>
    >> a) I'd rather not have a host/localhost.localdomain principal. How
    >> should I ensure that the requesting host uses its proper name?
    >>
    >> b) I've now encountered another problem:
    >> kprop -d -r PH.IC.AC.UK -f test_kerb_slave_db rapanui.ph.ic.ac.uk
    >> gives
    >> kprop: Decrypt integrity check failed while getting initial ticket
    >>
    >> I found this thread:
    >> http://mailman.mit.edu/pipermail/ker...ly/010082.html
    >>
    >> & discovered a key number mismatch on the master. Curiously, it seems
    >> that on adding host/localhost.localdomain, its kvno was 4, but the first
    >> time I extracted it, its kvno was 3. Is this normal/correct? Anyway, I
    >> fixed that, but then got this error:
    >>
    >> kprop: Server rejected authentication (during sendauth exchange) while
    >> authenticating to server
    >> Generic remote error: Key version number for principal in key table is
    >> incorrect
    >>
    >> I tried to fix this by extracting the key to the slave keytab: after
    >> this I was back to the original error:
    >>
    >> kprop: Decrypt integrity check failed while getting initial ticket
    >>
    >> At this point, on the master, the kvno matches in keytab & main
    >> database; but it doesn't on the slave. I can't see how to fix this,
    >> since each extraction seems to +1 to the kvno.
    >>
    >> However, kinit as host/localhost.localdomain, using the relevant keytab,
    >> works on both master & slave.
    >>
    >> I'm kind of stuck at this point! Any suggestions would be much
    >> appreciated!
    >>
    >>
    >> Regards,
    >> Juliet


    --
    ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++
    + Ms Juliet Kemp +
    + Computer Manager star@imperial.ac.uk +
    + Astrophysics Group +
    + Imperial College Tel: +44 (0)20759 47538 +
    + London. SW7 2AZ Fax: +44 (0)20759 47541 +
    ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: Problems with kpropd


    I'm stumped.

    I still think there's something inconsistent with the hostname,
    /etc/hosts, and/or DNS, but I'm not sure what else to suggest.

    -Mike

    > Mike Dopheide wrote:
    >>
    >> Hhmm.. okay. First of all, you don't want to have the same keys in
    >> krb5.keytab on both systems. A system should really only have keys for
    >> itself and any services it provides (like host/hostname, ftp/hostname,
    >> etc).

    >
    > Ah, right, OK. Misapprehension there on my part; I'm still getting to grips
    > with Kerberos.
    >
    > I've now managed to fix the initial identity/key problems, by appropriate
    > removing/recreating of principals so I now have
    >
    > host/elysium.ph.ic.ac.uk in the master keytab,
    > host/rapanui.ph.ic.ac.uk in the slave keytab
    > & both with KVNO that match the database.
    >
    > The issue I'm now having is this error in the slave logs:
    >
    > kpropd: Incorrect net address while decoding database size from client
    >
    > I was hoping that this was related to the identity issue below, but I've now
    > resolved that, so it seems not (unless it's another subtle difference? e.g.
    > the ticket having a 127.0.0.1 address? Might that happen?). The only
    > reference I can find in the list archives is to a multihoming issue, which
    > doesn't apply here.
    >
    > [ Solution to identity problem is below, for reference ]
    >
    > Thanks very much for all the help given so far! Thoughts on the latest
    > stalling point welcome.
    >
    >
    > Regards,
    > Juliet
    >
    >
    >> But first you need to fix the identity crisis your server is having.

    >
    > hostname was returning correct; and /etc/hosts had:
    >
    > 155.198.204.57 elysium.ph.ic.ac.uk elysium
    > 127.0.0.1 localhost.localdomain localhost elysium
    >
    > Googling revealed some discussion on the Debian lists about this (the
    > standard Debian ordering) being the wrong order (
    > http://lists.debian.org/debian-devel.../msg00387.html ), as a result of
    > which I've now replaced that last line with
    >
    > 127.0.0.1 localhost localhost.localdomain elysium
    >
    > which works. host/localhost.localdomain principal has now been removed.
    >
    >
    >>
    >> The master should have it's host/master.ph.ic.ac.uk in it's
    >> /etc/krb5.keytab and the slave should have host/rapanui.ph.ic.ac.uk. The
    >> slave should also have a kpropd.acl with just the text
    >> "host/master.ph.ic.ac.uk", not the actual key.
    >>
    >> Hopefully that will get you further.
    >>
    >> -Mike
    >>
    >>> Mike Dopheide wrote:
    >>>>
    >>>> My first guess is that the slave KDC doesn't have a host/ entry in the
    >>>> principal database (and in it's krb5.keytab). Check your kerberos logs
    >>>> and see if you're getting a client not found error for
    >>>> host/rapanui.ph.ic.ac.uk
    >>>
    >>> Many thanks for this - it wasn't host/rapanui.ph.ic.ac.uk but
    >>> host/localhost.localdomain (i.e. the requesting host) that was the
    >>> problem.
    >>>
    >>> Adding this to the principal database (& extracting it to keytabs on
    >>> both master & slave) fixed the immediate problem. However:
    >>>
    >>> a) I'd rather not have a host/localhost.localdomain principal. How
    >>> should I ensure that the requesting host uses its proper name?
    >>>
    >>> b) I've now encountered another problem:
    >>> kprop -d -r PH.IC.AC.UK -f test_kerb_slave_db rapanui.ph.ic.ac.uk
    >>> gives
    >>> kprop: Decrypt integrity check failed while getting initial ticket
    >>>
    >>> I found this thread:
    >>> http://mailman.mit.edu/pipermail/ker...ly/010082.html
    >>>
    >>> & discovered a key number mismatch on the master. Curiously, it seems
    >>> that on adding host/localhost.localdomain, its kvno was 4, but the first
    >>> time I extracted it, its kvno was 3. Is this normal/correct? Anyway, I
    >>> fixed that, but then got this error:
    >>>
    >>> kprop: Server rejected authentication (during sendauth exchange) while
    >>> authenticating to server
    >>> Generic remote error: Key version number for principal in key table is
    >>> incorrect
    >>>
    >>> I tried to fix this by extracting the key to the slave keytab: after
    >>> this I was back to the original error:
    >>>
    >>> kprop: Decrypt integrity check failed while getting initial ticket
    >>>
    >>> At this point, on the master, the kvno matches in keytab & main
    >>> database; but it doesn't on the slave. I can't see how to fix this,
    >>> since each extraction seems to +1 to the kvno.
    >>>
    >>> However, kinit as host/localhost.localdomain, using the relevant keytab,
    >>> works on both master & slave.
    >>>
    >>> I'm kind of stuck at this point! Any suggestions would be much
    >>> appreciated!
    >>>
    >>>
    >>> Regards,
    >>> Juliet

    >
    > --
    > ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++
    > + Ms Juliet Kemp +
    > + Computer Manager star@imperial.ac.uk +
    > + Astrophysics Group +
    > + Imperial College Tel: +44 (0)20759 47538 +
    > + London. SW7 2AZ Fax: +44 (0)20759 47541 +
    > ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++
    >

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread