[24148] in Kerberos
Re: kpropd fails on multihomed KDCs set up according to FAQ
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Mon Jun 27 14:01:38 2005
Message-Id: <200506271800.j5RI0K4a026537@ginger.cmf.nrl.navy.mil>
To: kerberos@mit.edu
In-Reply-To: <20050624202736.7656.qmail@web33201.mail.mud.yahoo.com>
Date: Mon, 27 Jun 2005 14:00:21 -0400
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Errors-To: kerberos-bounces@mit.edu
>/usr/krb5/sbin/kprop: Server rejected authentication (during sendauth exchange)
>while authenticating to server
>/usr/krb5/sbin/kprop: Incorrect net address signalled from server
>Error text from server: Incorrect net address
Hm. DNS really shouldn't affect things in this way (usually the problem
lies with resolving hostnames for the service principal name).
Based on these error messages, the server is rejecting the AP_REQ that
the client sends to it, based on the IP address in it. The IP address(es)
in the AP_REQ come from the IP addresses that the client detects that
the host has (the client walks the interface list and for every interface
it finds, it adds it to the AP_REQ).
It seems to me that however you're doing multihoming, the Kerberos
client code isn't detecting the additional interfaces correctly. Are
these "real" additional interfaces, or are they aliases or virtual
interfaces? If they're aliases, then I would guess that's the
problem. That's probably a bug ... but if that's the problem, I'd ask
why you're doing multihoming that way, because if they're on the same
network, you won't gain any reliability (IMHO).
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
