[37358] in Kerberos
kprop with multiple or NATted IP address
daemon@ATHENA.MIT.EDU (Jerry Shipman)
Wed Dec 23 15:51:07 2015
From: Jerry Shipman <jes59@cornell.edu>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Wed, 23 Dec 2015 20:50:48 +0000
Message-ID: <1ADEB9DB-6522-4BDF-992C-E9E4B95F237B@cornell.edu>
In-Reply-To: <mailman.515.1450890097.16194.kerberos@mit.edu>
Content-Language: en-US
Content-ID: <55CE681BFE47EB499D8B9318753FB20D@namprd04.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hello,
I’m trying to set up an additional slave KDC in a new location (different network), and I’m having trouble kprop’ing the database.
There is some tricky networking / routing going on between the network where the master KDC is and the network where the slave will be, that I am in the situation of needing to work with.
I can go into that more if necessary, but I think the salient point is that each machine has multiple network interfaces, one with a public IP and one with a private IP (10.x.y.z). I am trying to use the private IPs when I kprop the database to the slave. �(I am convinced that I eventually got this working with an iptables postrouting snat rule; I see the 10space address in logs, etc.)
I am seeing this error on the slave when I try to push the database from the master:
kpropd: Incorrect net address while decoding database size from client
From the master side, it looks like:
kprop: Connection reset by peer while sending database block starting at 0
I think that kpropd is trying to look up the hostname of the master in DNS, and seeing the public IP, instead of the private IP which the connection is coming from, and then aborting because of that mismatch (or something like that).
On a lark I tried adding the master’s hostname with its private address to /etc/hosts on the slave, but it didn’t immediately seem to help.
Is there a way to do what I’m trying to do?
Or, is there a reason that it is dangerous to avoid verifying that IP match, and I shouldn’t try to work around it?
Thank you for your help,
Jerry Shipman
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
