[29674] in Kerberos
Re: kprop between master (solaris) and slave (mandriva)
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Fri Apr 11 10:46:59 2008
Message-ID: <47FF79AA.6040407@anl.gov>
Date: Fri, 11 Apr 2008 09:46:02 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Marcin N <nichu@nospam.onet.pl>
In-Reply-To: <ftnq5r$a8v$1@news.onet.pl>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Marcin N wrote:
> Hello
> I would like to make replication between two hosts with different OS's -
> solaris as master and mandriva as slave.
And different versions of Kerberos too. It look like the solaris master
is the vendor provided Solaris 10 Kerberos. The mandriva slave looks like
some variant of MIT 1.4.2.
They both may store configuration files in different locations.
Solaris tends to use /etc/krb5. Check both sets on man pages.
Both kprop and kpropd have -d options in both Solairs and MIT.
>
> On master everything seems to be OK.
> So on slave I initialized databases
> kdb5_util create -r NET.COM -s
>
> On both sides I run
> kpropd -S
>
> On both sides krb5.conf looks like:
> ===============================================
> [libdefaults]
> default_realm = NET.COM
> [realms]
> NET.COM = {
> admin_server = master0
> kdc = master0
> kdc = slave
> master_kdc = master0
Host names including the KDC, should be FQDN.
> }
> [domain_realm]
> .net.com = NET.COM
> net.com = NET.COM
> [logging]
> default = FILE:/var/krb5/kdc.log
> kdc = FILE:/var/krb5/kdc.log
> ===============================================
> kpropd.acl
>
> host/slave.net.com@NET.COM
> host/master0.net.com@NET.COM
> host/master0@NET.COM
> host/slave
> host/master0
>
> there are entries for both hosts in krb database on both sides as well,
> I even turn off firewall on both sides to check...
>
> and when I try to propagate data
> /usr/lib/krb5/kprop -d -f krb5.dump slave.net.com
>
> there is error:
> /usr/lib/krb5/kprop: Server rejected authentication (during sendauth
> exchange) while authenticating to server
> Generic remote error: Wrong principal in request
>
> in kdc.log on master
> Apr 11 15:24:01 master0 krb5kdc[24492](info): AS_REQ (5 etypes {17 16 23
> 3 1}) 192.168.5.5: NEEDED_PREAUTH: host/master0@NET.COM for
> host/slave.net.com@NET.COM, Additional pre-authentication required
> Apr 11 15:24:01 master0 krb5kdc[24492](info): AS_REQ (5 etypes {17 16 23
> 3 1}) 192.168.5.5: ISSUE: authtime 1207920241, etypes {rep=17 tkt=17
> ses=17}, host/master0@NET.COM for host/slave.net.com@NET.COM
>
> I read somewhere that I need to copy krb5.keytab from master to slave -
> and I did and it didn't help.
>
> Maybe it's due to differences in software?!
> on solaris I have installed packets from CD:
> svcadm enable svc:/network/security/krb5kdc
> svcadm enable svc:/network/security/krb5_prop
> svcadm enable svc:/network/security/kadmin
>
> on mandriva via urpmi
> krb5-workstation-1.4.2-2.2.20060mdk
> libkrb53-1.4.2-2.2.20060mdk
> krb5-server-1.4.2-2.2.20060mdk
>
> Thank You in advance for any help
>
> Regards
> nichu
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
