f



KDC Master/Slave replication and propagation

Hi all,
I'm trying to setup a master/slave KDC architecture on SOLARIS 9.
I' ve setup correctly the master and slave, but when I execute kprop
on the master to dispatch the Kerberos DB, the latter command yields
the following output:

Broken Pipe

In particular, if I execute kprop with truss this is what i obtain:
..
..
..
close(5)                                        = 0
read(256, " # i d e n t\t " @ ( # )".., 1024)   = 1024
read(256, " o t o c o l   v 2\n l d".., 1024)   = 1024
read(256, " 1 3 9 / u d p\t\t\t\t #".., 1024)   = 1024
read(256, " c p\t\t\t\t #   E C D  ".., 1024)   = 859
close(256)                                      = 0
so_socket(PF_INET, SOCK_STREAM, IPPROTO_IP, "", 1) = 5
connect(5, 0xFFBFF878, 16, 1)                   = 0
getsockname(5, 0xFFBFF878, 0xFFBFF874, 1)       = 0
write(5, "\0\0\013", 4)                         = 4
write(5, " K R B 5 _ S E N D A U T".., 19)      = 19
write(5, "\0\0\0\n", 4)                         = 4
write(5, " k p r o p 5 _ 0 1\0", 10)            = 10
read(5, "\0", 1)                                = 1
time()                                          = 1204020515
getpid()                                        = 14196 [14195]
getpid()                                        = 14196 [14195]
getpid()                                        = 14196 [14195]
write(5, "\0\001 u", 4)                         = 4
write(5, " n8201 q 08201 mA0030201".., 373)     = 373
read(5, "\0\0\0\0", 4)                          = 4
read(5, "\0\0\0 S", 4)                          = 4
read(5, " o Q 0 OA003020105A10302".., 83)       = 83
getpid()                                        = 14196 [14195]
write(5, "\0\0\0 i", 4)                         = 4
write(5, " t g 0 eA003020105A10302".., 105)     = 105
read(4, " k d b 5 _ u t i l   l o".., 32768)    = 7985
brk(0x0002B710)                                 = 0
brk(0x0002D710)                                 = 0
getpid()                                        = 14196 [14195]
brk(0x0002D710)                                 = 0
brk(0x0002F710)                                 = 0
brk(0x0002F710)                                 = 0
brk(0x00031710)                                 = 0
write(5, "\0\01F9F", 4)                         Err#32 EPIPE
     Received signal #13, SIGPIPE [default]

 From the kpropd point of view, if I launch it in debug mode this is
what yields:

Visualizza come pagina Web

root@colcascsv # /usr/local/sbin/kpropd -r SOLARIS -dS -f /tmp/
lave_datatrans -F /usr/local/var/krb5kdc/principal -p /usr/local/sbin/
kdb5_util -a /usr/local/var/krb5kdc/kadm5.acl

Connection from colcascms
krb5_recvauth(5, kprop5_01, host/colcascsv@SOLARIS, ...)
authenticated client: host/colcascms@SOLARIS (etype == DES cbc mode
with CRC-32)

It seems that the slave KDC accepts the MASTER propagation, however
nothing is propagated.

Thanks in advance!

Beste regards,
Andrea


0
acirulli (39)
2/26/2008 7:19:18 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
396 Views

Similar Articles

[PageSpeed] 13

Reply:

Similar Artilces:

Kerberos master-slave setup : Database propagation, and KDC & KADMIN switching
I am trying to setup Kerberos on Redhat with slaves and database propagation (not incremental). I am going through MIT's documentation for KDC installation and configuration. Currently, I have three doubts/issues: 1. Do we need kpropd running on slave KDC, even if we do not have incremental propagation ? I started xinetd service, and tried propagating database (without starting kpropd, as I have not configured incremental propagation), and it gave me an error: kprop: Connection refused while connecting to server However, when I started kpropd in the same setup without any co...

KDC master/slave propagation
Hi all, I'm trying to setup a master/slave KDC architecture on SOLARIS 9. I' ve setup correctly the master and slave, but when I execute kprop on the master to dispatch the Kerberos DB, the latter command yields the following output: Broken Pipe In particular, if I execute kprop with truss this is what i obtain: .. .. .. close(5) = 0 read(256, " # i d e n t\t " @ ( # )".., 1024) = 1024 read(256, " o t o c o l v 2\n l d".., 1024) = 1024 read(256, " 1 3 9 / u d p\t\t\t\t #".., 1024) = 1024 read(256, " c p\t\t\t\t # E C D ".., 1024) = 859 close(256) = 0 so_socket(PF_INET, SOCK_STREAM, IPPROTO_IP, "", 1) = 5 connect(5, 0xFFBFF878, 16, 1) = 0 getsockname(5, 0xFFBFF878, 0xFFBFF874, 1) = 0 write(5, "\0\0\013", 4) = 4 write(5, " K R B 5 _ S E N D A U T".., 19) = 19 write(5, "\0\0\0\n", 4) = 4 write(5, " k p r o p 5 _ 0 1\0", 10) = 10 read(5, "\0", 1) = 1 time() = 1204020515 getpid() = 14196 [14195] getpid() = 14196 [14195] getpid() = 14196 [14195] write(5, "\0\001 u", 4) = 4 wr...

Kerberos Slave Propagation
Hello. I am having trouble propagating my kerberos database to a slave KDC. Honestly, I don't know what I'm doing. I have, however, read absolutely every piece of documentation available. I am stuck. My master KDC and admin server are a Debian Linux machine running the MIT kerberos implementation. I installed these myself according to instructions. They work without problem. My slave KDC is a Mac OS 10.3, Panther, machine. DNS has been correctly configured for each machine. host wum.lat wum.lat has address 192.168.179.73 host 192.168.179.73 73.179.168.192.in-addr.arpa domain name pointer wum.lat. host sil.fis.lat sil.fis.lat has address 192.168.179.43 host 192.168.179.43 43.179.168.192.in-addr.arpa domain name pointer sil.fis.lat. /etc/krb5.conf on the Linux machine and /Library/Preferences/edu.mit.Kerberos on the Panther machine have been correctly configured. [libdefaults] default_realm = LAT [realms] LAT = { kdc = wum.lat kdc = sil.fis.lat admin_server = wum.lat } The principals host/wum.lat and host/sil.fis.lat have been added to the database. Using kadmin, I extracted the principal host/wum.lat on wum.lat and the principal host/sil.fis.lat on sil.fis.lat. On the Panther machine, I created /var/db/krb5kdc/kpropd.acl. host/wum.lat@LAT host/sil.fis.lat@LAT I also created /etc/xinetd.d/krb5_prop. service krb5_prop { disable = no socket_type = str...

master-master replication
Hi, I have following queries related to postgresql 1. Does version 7.4.1 supports master-master replication? If not, does it support master-slave replication where slave can become the master once master is down? When the master comes up again, can it can be configured to slave mode? 2. If the master-master replication is available, is it free of cost? Is it being supported on SCO Unixware version 7.1.1 ? If its not free, where can I find the product cost? If master-master replication is not available, is master-slave replication free of cost? 3. Where can I find the documents talking ab...

master-master replication
Hi, I have following queries related to postgresql 1. Does version 7.4.1 supports master-master replication? If not, does it support master-slave replication where slave can become the master once master is down? When the master comes up again, can it can be configured to slave mode? 2. If the master-master replication is available, is it free of cost? Is it being supported on SCO Unixware version 7.1.1 ? If its not free, where can I find the product cost? If master-master replication is not available, is master-slave replication free of cost? 3. Where can I find the documents talking ab...

Master -> Slave replication
Is kprop and kpropd really the only way to replicate a master and slave? It just seems lame that in 2008 I still have to write a cron job to replicate a database every X seconds. Is there no realtime or near realtime system for this? Derek Harkness Data Security Analyst Senior University of Michigan-Dearborn (313) 593-5089 In article <mailman.34.1208807065.25183.kerberos@mit.edu>, Derek Harkness <dharknes@umd.umich.edu> wrote: > Is kprop and kpropd really the only way to replicate a master and > slave? It just seems lame that in 2008 I still have to write a cron > job to replicate a database every X seconds. As noted in another followup, some Kerberos sites have implemented something on their own. We did. It was really more like a trivial integration with already existing local accounting software, so maybe not much help to anyone looking to go this way. At the time we did that, the latency was not every X seconds, but every X minutes, where X is two digits - since we would have to at least wait long enough that the replica could complete its load before getting a new one. But if I had to start over without a convenient way to implement incremental replication, I wouldn't worry as much about it as I did at the time. At any ordinary site, a single master KDC will take the whole load without breaking a sweat, so the replica is only really needed for service exception backup, and if in that event it's a few minutes out of date...

Partial replication from master to slave?
Hello, I have a MySQL server where I want one database to be replicated from another "master server" using standard master-slave protocol. However master also sends information about other dbs/tables (in prticular the user names and permissions) which I do not want to be replicated. How I can setup my slave to apply only whatever is relevant to a partucluar database, and do not apply changes for other tables/ databases ? cheers, Askar Askar Ibragimov schreef: > Hello, > > I have a MySQL server where I want one database to be replicated from > another "master ser...

Master/slaves network protocol
I have a "smart device" SD that is the master on a RS485 master/slaves half-duplex network. The user interact with a "dumb device" DD (slave) and he should have the illusion to interact directly with the SD. All the relevant (for the user) info (status and settings) about the SD must be spread among the DDs, through a suitable protocol on the RS485 network. Some variables are read-only: they changes autonomously over time and can't be changed by the user (for example, a temperature). Other variables are read-write and can be changed only by the user (th...

How to restore master and replicated slaves?
In an application with one master and 2 slaves I wish to make sure that I understand how to restore the system in case of failure in the database of the master. Replication is configured and running and backups are regularily made from slave 1 according to the procedure "FLUSH TABLES WITH READ LOCK, SET GLOBAL read_only=ON, perform backup with mysqldump, SET GLOBAL read_only=OFF, UNLOCK TABLES". In case the database of the master needs to be restored my understanding is that a backup from slave 1 skall be restored according to the following (i...

Master slave protocols for embedded devices
I'm trying to review the serial protocol we're using to connect multiple boards in our device. The device is made of 5 boards, 1 master and 4 slaves, connected through a RS422 serial link. Regarding the OSI layer 1 protocol, we're already using some scheme with a CRC that ensures that the data are transmitted correctly between any slave and the master. I'm looking for some tested protocol to govern the communication, which is now done round robin, with a fixed time window for each slave. If the slave doesn't respond for some fixed time after being messaged, then the device ...

Master-Slave Time Synchronization Protocols
i am a newbie to tcl seeking assistance...i am looking for someone with knowledge of the Time Synchronization protocols. At the moment i am facing a problem with coming up with the TCL script for Master-slave format of the protocol.. i have created the nodes set aside the master but now the functionality of the master is the biggest problem...i am not sure where to proceed next...all out of ideas at the moment...you can find attached a script of the code i am using http://old.nabble.com/file/p27605489/masters3.tcl masters3.tcl i also get an error from it that does say "routes not yet com...

[SPAM] Bind9 :- Replication of files ,between Master and Slave!!!
> i am facing this problem. can u suggest me what might be wrong? >� >� > My Querry is:----- >� > In DNS (bind9) one zone file not replicating to one slave server. One Master server two slave server(A,B) all zone transfer to two slave server are working fine. All Zone tranfer fyn, except one zone file not transfering from master to slave A. same zone file transfering okay from master to slave B I checked there is not zone file syntax issue. bind9 congfig file is okay on slave B because it is transfering all other zone files. master server in logs it is saying transfer start, transfer end. SlaveB server in logs it is saying, connected to master server: Give up: time out., transfer end > > Regards Simmy ...

how to propagate kerberos master db from behind NAT?
Dear All, I try to propagate the content of a master kerberos db to a slave kdc, and it fails with the following error: kpropd: Incorrect net address while decoding database size from client I googled for a solution in vain. I read through this list to find someone experiencing the same error message though I guess his situation is somewhat different. So I ask for a hint if someone can help me. Here is the network layout, to have host names anonymized I'll use SLAVE, MASTER, etc.: WAN ~~~ | | subnet of FQ IP addresses provided by ISP ----------------- | | SLAVE NAT-ROUTER (+firewall) | | 10.0.0.x/24 subnet ------------------------------------- | | | | | MASTER STORAGE LOGIN WEB ... MAIL DNS A few debian servers (and so the MASTER krb kdc) are installed with local IP addresses. From the outside they are seen with the same fully qualified IP address. Machines are working fine. In SLAVE machine I would like to achieve authentication to the kerberos database served by the MASTER behind nat. At the moment we can simply run the kinit command without a problem. However, there might be cases of link failure between the NAT-ROUTER and the SLAVE making life very hard at the SLAVE then. So I think it would be wise to propagate regularly krb db content from the MASTER to the SLAVE machine. At SLAVE the content of /etc/krb5kdc/kpropd...

Proposal for a cascaded master-slave replication system
Dear community, for some reason the post I sent yesterday night still did not show up on the mailing lists. I have set up some links on the developers side under http://developer.postgresql.org/~wieck/slony1.html The concept will be the base for some of my work as a Software Engineer here at Afilias USA INC. in the near future. Afilias is like many of you in need of reliable and performant replication solutions for backup and failover purposes. We started this work a couple of weeks ago by defining the goals and required features for our usage of PostgreSQL. Slony-I will be th...

Master/slave replication requires additional port definition?
I have set up a new mysql server and want to implement master-slave replication to another host. Do I need to define a new port on my master host exclusively for the replication? or can I simply piggyback on the the already defined mysqld service port? > I have set up a new mysql server and want to implement master-slave > replication to another host. Do I need to define a new port on my > master host exclusively for the replication? No, unless the two instances are running on the same host, which would be pretty pointless. >or can I simply > piggyback on the the already...

Re: [SPAM] Bind9 :- Replication of files ,between Master and Slave!!!
> > i am facing this problem. can u suggest me what might be wrong? > > > > > > My Querry is:----- > > > > > In DNS (bind9) one zone file not replicating to one slave server. One > Master server two slave server(A,B) all zone transfer to two slave > server are working fine. All Zone tranfer fyn, except one zone file not > transfering from master to slave A. same zone file transfering okay > from master to slave B I checked there is not zone file syntax issue. > bind9 congfig file is okay on slave B because it is transfering all > other zone files. master server in logs it is saying transfer start, > transfer end. SlaveB server in logs it is saying, connected to master > server: Give up: time out., transfer end > > > > Regards > Simmy Broken PMTU discovery can cause this. PMTU discover can be broken by stupid firewall rules which block all ICMP packets as PMTU discover depends on ICMP packets being returned when a packet with DF set would require fragmentation. Mark P.S. I would also send the log messages in future as sometimes the self diagnosis is wrong. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org ...

Kerberos master/master sync using OpenLDAP N-Way Multi-Master
I haven=B9t seen this idea posted anywhere. The new version of OpenLDAP (I=B9m using 2.4.15) has the ability to run in a multi-master mode. I was able to set up two servers that each ran a Kerberos instance as well as an OpenLDAP instance that had ldap and kerberos failover. I now don=B9t need to worry about doing any sync with Kerberos, as LDAP does it all. I can also run kadmin against either of the kerberos servers. Some tests I did that were pretty successful were: Realm setup: kdc =3D kdc01.security.lab.comcast.net:88 kdc =3D kdc02.security.lab.comcast.net:88 Turn off kdc on kdc01 -> successfully authenticated with kdc02 Turn on kdc but turn off ldap on kdc01 -> successfully authenticated with kdc02 The failover works exactly as a expected. --=20 MAT ...

Re: [GENERAL] Proposal for a cascaded master-slave replication system
Speaking from a non-profit whose enterprise data sits inside postgres, we would be willing to invest a few thousand dollars into the pot of synchronous multi-master replication. Postgres-r sounded absolutely marvelous to us back in the day that it was rumored to be one of the possible deliverables of 7.4. Not so much for nine-nines of uptime, but for the case of being able to take a full hit on a DB box in production yet still remain running w/o any data loss. Our application servers are JBoss and will be high-available clustered / fully-mirrored, but even with RAID on the DB ...

MIT Kerberos KDC & W2K Client: Changing expired password issueMIT Kerberos KDC & W2K Client: Changing expired password issue
Hi, I also experienced the same problem as William G.Zereneh (http://mailman.mit.edu/pipermail/kerberos/2004-May/005341.html). I'm able to change the password using ctrl-alt-del, but when the password is expired and windows asks me to change the password, I encountered "Domain MIT.REALM.COM is not available" error. As I sniff the packet, it noticed that it sent a CLDAP query message with filter: (&(DnsDomain = MIT.REALM.COM)(Host = myhostname)(NtVer=\006) which is returned NULL by my _ldap._tcp.dc._msdcs.REALM.MIT.COM How to resolve this problem ? maybe there's a missing entry in my DNS ? Is it mandatory for the MIT Kerberos KDC (I installed it on RedHat Linux) to have an LDAP service to resolve the CLDAP request ? and can LDAP actually entertains CLDAP request since LDAP is using TCP while CLDAP is using UDP ? Can I resolve the CLDAP request using Windows 2000 server instead ? Any ideas will be very appreciated Regards from newbie, lara ===== ------------------------------------------------------------------------------------ La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - ------------------------------------------------------------------------------------ __________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ ____________________________________...

Q: Ordering master/slave KDC's in CLIENT machines' krb5.conf
Hi all, Please help me understand how I should order the client's list of KDC's it can contact in the krb5.conf file. I have: [realms] YADDA.WASHINGTON.EDU = { kdc = kdc.yadda.washington.edu kdc = kdc1.yadda.washington.edu kdc = kdc2.yadda.washington.edu admin_server = kdc1.yadda.washington.edu default_domain = yadda.washington.edu krb524_server = kdc1.yadda.washington.edu } NOTE: kdc.yadda.washington.edu points to the master, which is kdc1.yadda.washington.edu but I have MANY clients which will need to set up to use kerberos, and kdc1 and kdc2 are on different subnets. Should I put the kdc that is the closest (fewest hops, or local) first in the list? or should I always put the master server first, regardless of network proximity. Am i nit-picking here? Does order matter in the kdc list? Im curious how failover is done if my router to the first kerb server in the list goes down. thanks, Matt In article <bjl3cc$33t0$1@nntp6.u.washington.edu>, MattW <mbw@u.washington.edu> wrote: > Please help me understand how I should order the > client's list of KDC's it can contact in the krb5.conf file. > > > I have: > > > > [realms] > YADDA.WASHINGTON.EDU = { > > kdc = kdc.yadda.washington.edu > kdc = kdc1.yadda.washington.edu > ...

Can Master replicate zone options in Slave's named.conf.local file ???
People, I have a Master / Slave BIND9 system. When I add a new zone to the Master and set it up in named.conf.local file as follow: zone "company.com" { type master; file "/etc/bind/zones/company.com.db"; allow-transfer { key "company"; }; }; Can Master write these options to Slave's named.conf.local file and order to reload its config ??? Or do I always have to write by hand these options in Slave's named.conf.local and after that restart the bind9 daemon ??? Thanks a lot. Roberto ...

master-master replication how to automatically exchange role?
i'm doing something research on master-master(standby) replication. so far we use manually method to exchange the standby master as master when occur some problems. Do you have any idea to exchange roles automatically when occur problems? sissi <sissiyam@gmail.com> wrote: > i'm doing something research on master-master(standby) replication. so > far we use manually method to exchange the standby master as master > when occur some problems. I suggest you stay with that. > Do you have any idea to exchange roles automatically when occur > problems? ...

in ahb amba , during slave switch over how does master knows that the second slave is ready for address phase , as hready is comming from the first slave only?
when ahb master switch over from one slave to another then address phase of second slave and data phase of first slave occurs in the same clock edge .but hready is coming from the first slave only .then how do the master knows the the second slave is ready for the address phase. ...

in ahb amba , during slave switch over how does master knows that the second slave is ready for address phase , as hready is comming from the first slave only? #2
when ahb master switch over from one slave to another then address phase of second slave and data phase of first slave occurs in the same clock edge .but hready is coming from the first slave only .then how do the master knows the the second slave is ready for the address phase. An AMBA AHB Slave which is in the idle state must always be ready to accept the first address, i.e. the master can simply assume it arrives properly. The slave can effectively hold off accepting the second address by inserting wait states (HREADYout = '0') during the first data cycle. (Although once a slave has accepted the first address and knows the addresing scheme - burst, wrap, incremental etc. it probably won't care about the following addresses. HREADYout will just be used indicate ability to source/sink more data) As far as I remember there is a diagram of this in the AMBA spec somewhere. I just don't have it at hand at the moment. I'll try and get the page number later. Hope this helps, ...

Web resources about - KDC Master/Slave replication and propagation - comp.protocols.kerberos

Replication (computing) - Wikipedia, the free encyclopedia
... in space , i.e. executed on separate devices, or it could be replicated in time , if it is executed repeatedly on a single device. Replication ...

Facebook Slashes Data Replication With HDFS RAID
Avoiding replication is a key component of efficient data storage , and one method Facebook uses to accomplish this task is HDFS RAID , which ...

PolSci Replication (@PolSciReplicate) on Twitter
Sign in Sign up To bring you Twitter, we and our partners use cookies on our and other websites. Cookies help personalize Twitter content, tailor ...

Encryption in demand for backup and replication: Veeam
When it comes to backup and replication, Veeam has found encryption is one of the most requested feature by businesses.

John Sands Australia cuts data replication time from 14 hours to three
Corporate data replication was taking up to 14 hours to complete at greeting card company John Sands Australia until data acceleration software ...

EMC gives VMware admins the reins to replication and recovery
EMC is putting replication and recovery into the hands of VMware administrators with a software version of its RecoverPoint appliance that's ...

Facebook Slashes Data Replication With HDFS RAID - SocialTimes
Avoiding replication is a key component of efficient data storage , and one method Facebook uses to accomplish this task is HDFS RAID , which ...

rsync.net: ZFS Replication to the cloud is finally here—and it’s fast
As friendly of an online advertisement as you'll find. In mid-August, the first commercially available ZFS cloud replication target became available ...


Violin to bring deduplication, replication, other tools to all-flash storage arrays
Violin Memory plans to add deduplication, thin provisioning, snapshots and other features in a software update for its all-flash storage arrays, ...

Resources last updated: 3/10/2016 9:55:42 PM