how to propagate kerberos master db from behind NAT?
Dear All,
I try to propagate the content of a master kerberos db to a slave kdc,
and it fails with the following error:
kpropd: Incorrect net address while decoding database size from client
I googled for a solution in vain. I read through this list to find
someone experiencing the same error message though I guess his situation
is somewhat different. So I ask for a hint if someone can help me.
Here is the network layout, to have host names anonymized I'll use
SLAVE, MASTER, etc.:
WAN
~~~
|
| subnet of FQ IP addresses provided by ISP
-----------------
| |
SLAVE NAT-ROUTER (+firewall)
|
| 10.0.0.x/24 subnet
-------------------------------------
| | | | |
MASTER STORAGE LOGIN WEB ...
MAIL
DNS
A few debian servers (and so the MASTER krb kdc) are installed with
local IP addresses. From the outside they are seen with the same fully
qualified IP address. Machines are working fine.
In SLAVE machine I would like to achieve authentication to the kerberos
database served by the MASTER behind nat. At the moment we can simply
run the kinit command without a problem. However, there might be cases
of link failure between the NAT-ROUTER and the SLAVE making life very
hard at the SLAVE then. So I think it would be wise to propagate
regularly krb db content from the MASTER to the SLAVE machine.
At SLAVE the content of /etc/krb5kdc/kpropd.acl is: host/MASTER@REALM.
It has up-to-date host/SLAVE@REALM key in the /etc/krb5.keytab as well.
I run kpropd in foreground debug mode, and in the meantime I launch
kprop at the MASTER:
SLAVE:~# kpropd -S -d -a /etc/krb5kdc/kpropd.acl
Connection from NAT-ROUTER
krb5_recvauth(4, kprop5_01, host/SLAVE@, ...)
authenticated client: host/MASTER@REALM (etype == Triple DES cbc mode
with HMAC/sha1)
kpropd: Incorrect net address while decoding database size from client
As I guess the problem is the following. From the content received
during the conversation kpropd extracts that it is sent from MASTER,
however, the packet level traffic shows NAT-ROUTER addresses on each IP
packet. Since the two things do not match it will regard it as something
nasty and stops transaction. Is it so?
Is there a nice way to solve propagation in such a case I describe?
Thank you for all yours help in advance.
Bests,
J�zsef St�ger
steger1
comp.protocols.kerberos
5541 articles. 
1 followers.
jwinius
0 Replies
525 Views
Similar Artilces:
MIT Kerberos or Heimdal Kerberos?
Hi, How do I know the server install in the system is MIT Kerberos or Heimdal? I m using FreeBSD 5.2.1 Thanks sam ...
kerberos propagation
hey I´m building a kerberos propagation...but after conf every thing I get this error after execute kprop -d -f prueba morena Feb 27 14:21:42 morena kpropd[3221]: Connection from 0.0.0.0 Feb 27 14:21:42 morena kpropd[3221]: kpropd: Incorrect net address while decoding database size from client someone know why? thanks ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...
Kerberos master/master sync using OpenLDAP N-Way Multi-Master
I haven=B9t seen this idea posted anywhere. The new version of OpenLDAP (I=B9m using 2.4.15) has the ability to run in a multi-master mode. I was able to set up two servers that each ran a Kerberos instance as well as an OpenLDAP instance that had ldap and kerberos failover. I now don=B9t need to worry about doing any sync with Kerberos, as LDAP does it all. I can also run kadmin against either of the kerberos servers. Some tests I did that were pretty successful were: Realm setup: kdc =3D kdc01.security.lab.comcast.net:88 kdc =3D kdc02.security.lab.comcast.net:88 Turn off kdc on kdc0...
Kerberos master-slave setup : Database propagation, and KDC & KADMIN switching
I am trying to setup Kerberos on Redhat with slaves and database propagation (not incremental). I am going through MIT's documentation for KDC installation and configuration. Currently, I have three doubts/issues: 1. Do we need kpropd running on slave KDC, even if we do not have incremental propagation ? I started xinetd service, and tried propagating database (without starting kpropd, as I have not configured incremental propagation), and it gave me an error: kprop: Connection refused while connecting to server However, when I started kpropd in the same setup without any co...
FTP and Kerberos
Hi, I get the following Kerberos related error when i do FTP from another machine(redhat 9.0) to my machine(redhat 9.0). How to solve this problem ? Should i Need to start/stop some daemons ? here is what happens when i do FTP !!! --------->>>>>>>>> Here is it .....>>>> Connected to 107.108.89.173. 220 localhost.localdomain FTP server (Version 5.60) ready. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI error major: Miscellaneous failure GSSAPI error minor: No credentials cache found GSSAPI error: in...
migration from Kerberos 4 to Kerberos 5
Hello, I have a few questions about migration to a new Kerberos version. In fact, the goal is to migrate a network with Kerberos 4 to the Kerberos 5(under Lin8x): 1) Do I have to reinstall Kerberos from the scratch or are there packages that allow to update the version? 2) What about the users that I created, are they still valid or will user information be lost. Part of the network uses already an LDAP directory, do I suppose this will not be a problem for this part, but in general, how can I migrate my user-accounts to the new version? 3) What about the clients, do I have to re-install th...
MIT Kerberos and Solaris 10 Kerberos
Greetings, everyone. We run a number of Solaris 8 systems using Sun's SEAM PAM implementation and MIT's Kerberos (which we're up to date on). We are starting to look at Solaris 10, and are hoping to move towards Sun's implementation of Kerberos. We are having a bit of trouble getting the two to talk properly, however. If we SSH (from production to test, for example) to a Solaris 8 machine, then we can rlogin (Kerberized) to the Solaris 10 machine and, from there, rlogin to a Sol8 machine again. If, however, we SSH directly to the Solaris 10 machine, we cannot rlogin to a Sola...
Kerberos Decrypted
http://www.digg.com/security/Kerberos_Decrypted ...
Kerberos
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...
Kerberos Propagation question
Hi, A colleague asked recently if KDC's could replicate more frequently, his suggestion was every 3 minutes. That seemed as though it could have adverse effects on the KDC's but i couldn't find anything in the docs on a best practice for how frequently / infrequently to replicate the database. I seem to recall that propagation locks the DB, but I wasn't able to find a reference to it. (I could have made it up..., or maybe I just didn't see it in the docs) Would pushing the database out that frequently be problematic? Besides increased load on the system could that hav...
OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos
Rather then implementing kafs in MIT Kerberos, I would like to suggest an alternative which has advantages to all parties. The OpenSSH sshd needs to do two things: (1) sets a PAG in the kernel, (2) obtains an AFS token storing it in the kernel. It can use the Kerberos credentials either obtained via GSSAPI delegation, PAM or other kerberos login code in the sshd. The above two actions can be accomplished by a separate process, which can be forked and execd by the sshd and passed the environment which may have a KREB5CCNAME pointing at the Kerberos ticket cache Other parameters ...
Kerberos and NAT issue
Hi all,=0AI have a Kerberos v5 MIT installed in a large enviroment.=0AI'm e= xperiencing a problem in a ISP environment when NAT is involved in kerberos= authentication.=0AHOST IP included in kerberos ticket isn't recognized fro= m kerberized services (SSHD) because NAT!=0A=0AIs it possibile to solve thi= s problem? Does exist a patch or workaround (secure, no -A param in kinit ;= ) )=0A=0A=0A=0AThanks in advance for your help!=0A=0A=0A=0AStefano=0A=0A=0A= ___________________________________ =0AL'email della prossima generaz= ione? Puoi averla con la nuova Yahoo! Mail: http:...
Kerberos Slave Propagation
Hello. I am having trouble propagating my kerberos database to a slave KDC. Honestly, I don't know what I'm doing. I have, however, read absolutely every piece of documentation available. I am stuck. My master KDC and admin server are a Debian Linux machine running the MIT kerberos implementation. I installed these myself according to instructions. They work without problem. My slave KDC is a Mac OS 10.3, Panther, machine. DNS has been correctly configured for each machine. host wum.lat wum.lat has address 192.168.179.73 host 192.168.179.73 73.179.168.192.in-addr.arpa domain n...
kerberos
Hi, I've seen a number of posts regarding similar issues, but none with answers.. maybe i'll be lucky... Trying to join a Linux samba box to a Win2k Domain via ADS.. Have used 'net join -U administrator%password' then get a list of errors about 20 lines long similar to this. "kerberos_knit_password fedora$@domain.com failed: Client not found in Kerberos database" But, it *does* join the domain and I can see and use the share.... Is there anything to worry about?? TIA, travelfurther.. ...
Hi, How do I know the server install in the system is MIT Kerberos or Heimdal? I m using FreeBSD 5.2.1 Thanks sam ...
kerberos propagation
hey I´m building a kerberos propagation...but after conf every thing I get this error after execute kprop -d -f prueba morena Feb 27 14:21:42 morena kpropd[3221]: Connection from 0.0.0.0 Feb 27 14:21:42 morena kpropd[3221]: kpropd: Incorrect net address while decoding database size from client someone know why? thanks ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...
Kerberos master/master sync using OpenLDAP N-Way Multi-Master
I haven=B9t seen this idea posted anywhere. The new version of OpenLDAP (I=B9m using 2.4.15) has the ability to run in a multi-master mode. I was able to set up two servers that each ran a Kerberos instance as well as an OpenLDAP instance that had ldap and kerberos failover. I now don=B9t need to worry about doing any sync with Kerberos, as LDAP does it all. I can also run kadmin against either of the kerberos servers. Some tests I did that were pretty successful were: Realm setup: kdc =3D kdc01.security.lab.comcast.net:88 kdc =3D kdc02.security.lab.comcast.net:88 Turn off kdc on kdc0...
Kerberos master-slave setup : Database propagation, and KDC & KADMIN switching
I am trying to setup Kerberos on Redhat with slaves and database propagation (not incremental). I am going through MIT's documentation for KDC installation and configuration. Currently, I have three doubts/issues: 1. Do we need kpropd running on slave KDC, even if we do not have incremental propagation ? I started xinetd service, and tried propagating database (without starting kpropd, as I have not configured incremental propagation), and it gave me an error: kprop: Connection refused while connecting to server However, when I started kpropd in the same setup without any co...
FTP and Kerberos
Hi, I get the following Kerberos related error when i do FTP from another machine(redhat 9.0) to my machine(redhat 9.0). How to solve this problem ? Should i Need to start/stop some daemons ? here is what happens when i do FTP !!! --------->>>>>>>>> Here is it .....>>>> Connected to 107.108.89.173. 220 localhost.localdomain FTP server (Version 5.60) ready. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI error major: Miscellaneous failure GSSAPI error minor: No credentials cache found GSSAPI error: in...
migration from Kerberos 4 to Kerberos 5
Hello, I have a few questions about migration to a new Kerberos version. In fact, the goal is to migrate a network with Kerberos 4 to the Kerberos 5(under Lin8x): 1) Do I have to reinstall Kerberos from the scratch or are there packages that allow to update the version? 2) What about the users that I created, are they still valid or will user information be lost. Part of the network uses already an LDAP directory, do I suppose this will not be a problem for this part, but in general, how can I migrate my user-accounts to the new version? 3) What about the clients, do I have to re-install th...
MIT Kerberos and Solaris 10 Kerberos
Greetings, everyone. We run a number of Solaris 8 systems using Sun's SEAM PAM implementation and MIT's Kerberos (which we're up to date on). We are starting to look at Solaris 10, and are hoping to move towards Sun's implementation of Kerberos. We are having a bit of trouble getting the two to talk properly, however. If we SSH (from production to test, for example) to a Solaris 8 machine, then we can rlogin (Kerberized) to the Solaris 10 machine and, from there, rlogin to a Sol8 machine again. If, however, we SSH directly to the Solaris 10 machine, we cannot rlogin to a Sola...
Kerberos Decrypted
http://www.digg.com/security/Kerberos_Decrypted ...
Kerberos
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...
Kerberos Propagation question
Hi, A colleague asked recently if KDC's could replicate more frequently, his suggestion was every 3 minutes. That seemed as though it could have adverse effects on the KDC's but i couldn't find anything in the docs on a best practice for how frequently / infrequently to replicate the database. I seem to recall that propagation locks the DB, but I wasn't able to find a reference to it. (I could have made it up..., or maybe I just didn't see it in the docs) Would pushing the database out that frequently be problematic? Besides increased load on the system could that hav...
OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos
Rather then implementing kafs in MIT Kerberos, I would like to suggest an alternative which has advantages to all parties. The OpenSSH sshd needs to do two things: (1) sets a PAG in the kernel, (2) obtains an AFS token storing it in the kernel. It can use the Kerberos credentials either obtained via GSSAPI delegation, PAM or other kerberos login code in the sshd. The above two actions can be accomplished by a separate process, which can be forked and execd by the sshd and passed the environment which may have a KREB5CCNAME pointing at the Kerberos ticket cache Other parameters ...
Kerberos and NAT issue
Hi all,=0AI have a Kerberos v5 MIT installed in a large enviroment.=0AI'm e= xperiencing a problem in a ISP environment when NAT is involved in kerberos= authentication.=0AHOST IP included in kerberos ticket isn't recognized fro= m kerberized services (SSHD) because NAT!=0A=0AIs it possibile to solve thi= s problem? Does exist a patch or workaround (secure, no -A param in kinit ;= ) )=0A=0A=0A=0AThanks in advance for your help!=0A=0A=0A=0AStefano=0A=0A=0A= ___________________________________ =0AL'email della prossima generaz= ione? Puoi averla con la nuova Yahoo! Mail: http:...
Kerberos Slave Propagation
Hello. I am having trouble propagating my kerberos database to a slave KDC. Honestly, I don't know what I'm doing. I have, however, read absolutely every piece of documentation available. I am stuck. My master KDC and admin server are a Debian Linux machine running the MIT kerberos implementation. I installed these myself according to instructions. They work without problem. My slave KDC is a Mac OS 10.3, Panther, machine. DNS has been correctly configured for each machine. host wum.lat wum.lat has address 192.168.179.73 host 192.168.179.73 73.179.168.192.in-addr.arpa domain n...
kerberos
Hi, I've seen a number of posts regarding similar issues, but none with answers.. maybe i'll be lucky... Trying to join a Linux samba box to a Win2k Domain via ADS.. Have used 'net join -U administrator%password' then get a list of errors about 20 lines long similar to this. "kerberos_knit_password fedora$@domain.com failed: Client not found in Kerberos database" But, it *does* join the domain and I can see and use the share.... Is there anything to worry about?? TIA, travelfurther.. ...
Web resources about - how to propagate kerberos master db from behind NAT? - comp.protocols.kerberos
Go forth and propagateOne of my favourite things about gardening is propagating.
2 Very Easy Ways to Propagate Succulents... more. I wanted to one vlog which you could refer to whenever I’m posting about a specific succulent because the great majority of them propagate ...
Drudge propagates the "Obama is like Nixon" meme.I've already mobilized my "Obama is like Nixon" tag for the occasion. That was the 13th time I used it.
Western Media Propagate Anti-China Rhetoric, Xinhua Chief Says
Western Media Propagate Anti-China Rhetoric, Xinhua Chief Says Bloomberg Western media outlets propagate ideas from “hostile forces” that don't ...
Western Media Propagate Anti-China Rhetoric, Xinhua Chief Says Bloomberg Western media outlets propagate ideas from “hostile forces” that don't ...
Hollywood hit job: ‘Fair Game’ propagates easily disprovable myths about lead up to Iraq War"Fair Game" propagates easily disprovable myths about lead up to Iraq War
Congress did not propagate its achievements: ChidambaramCongress did not propagate its achievements: Chidambaram - Union Finance Minister P.Chidambaram Saturday said that the Congress' biggest fault ...
Culture: It’s alive — it propagates, mutates, and accumulates... and quickly eradicate them. If you don’t, and since cultures determine which humans survive, they could repel the wrong talent. Culture propagates. ...
The Hidden Biases Our Internet Memes Help PropagateWelcome to Reading List , a weekly collection of great tech reads from around the web. This week explores the hidden biases of Internet memes, ...
Tweet self-propagates through TweetDeckNEW YORK (AP) â" A tweet containing computer code has propagated itself through Twitter by taking advantage of a security flaw in the company's ...
Study: Open source libraries propagate security flaws
Although companies such as Microsoft, Adobe, and Mozilla have raised awareness of secure programming practices in recent years, getting developers ...
Although companies such as Microsoft, Adobe, and Mozilla have raised awareness of secure programming practices in recent years, getting developers ...
Resources last updated: 2/10/2016 7:44:10 AM