Dear All,

I try to propagate the content of a master kerberos db to a slave kdc,
and it fails with the following error:

kpropd: Incorrect net address while decoding database size from client

I googled for a solution in vain. I read through this list to find
someone experiencing the same error message though I guess his situation
is somewhat different. So I ask for a hint if someone can help me.

Here is the network layout, to have host names anonymized I'll use
SLAVE, MASTER, etc.:

WAN
~~~
|
| subnet of FQ IP addresses provided by ISP
-----------------
| |
SLAVE NAT-ROUTER (+firewall)
|
| 10.0.0.x/24 subnet
-------------------------------------
| | | | |
MASTER STORAGE LOGIN WEB ...
MAIL
DNS

A few debian servers (and so the MASTER krb kdc) are installed with
local IP addresses. From the outside they are seen with the same fully
qualified IP address. Machines are working fine.

In SLAVE machine I would like to achieve authentication to the kerberos
database served by the MASTER behind nat. At the moment we can simply
run the kinit command without a problem. However, there might be cases
of link failure between the NAT-ROUTER and the SLAVE making life very
hard at the SLAVE then. So I think it would be wise to propagate
regularly krb db content from the MASTER to the SLAVE machine.

At SLAVE the content of /etc/krb5kdc/kpropd.acl is: host/MASTER@REALM.
It has up-to-date host/SLAVE@REALM key in the /etc/krb5.keytab as well.
I run kpropd in foreground debug mode, and in the meantime I launch
kprop at the MASTER:

SLAVE:~# kpropd -S -d -a /etc/krb5kdc/kpropd.acl
Connection from NAT-ROUTER
krb5_recvauth(4, kprop5_01, host/SLAVE@, ...)
authenticated client: host/MASTER@REALM (etype == Triple DES cbc mode
with HMAC/sha1)
kpropd: Incorrect net address while decoding database size from client

As I guess the problem is the following. From the content received
during the conversation kpropd extracts that it is sent from MASTER,
however, the packet level traffic shows NAT-ROUTER addresses on each IP
packet. Since the two things do not match it will regard it as something
nasty and stops transaction. Is it so?

Is there a nice way to solve propagation in such a case I describe?

Thank you for all yours help in advance.

Bests,
József Stéger