f



Kerberos master-slave setup : Database propagation, and KDC & KADMIN switching

I am trying to setup Kerberos on Redhat with slaves and database
propagation (not incremental). I am going through MIT's documentation for
KDC installation and configuration. Currently, I have three doubts/issues:


1. Do we need kpropd running on slave KDC, even if we do not have
incremental propagation ?

I started xinetd service, and tried propagating database (without starting
kpropd, as I have not configured incremental propagation), and it gave me
an error:
kprop: Connection refused while connecting to server
However, when I started kpropd in the same setup without any configuration
change, I was able to successfully propagate the database.

As per the document, it says:
[Re]start inetd daemon. Alternatively, start kpropd as a stand-alone
daemon. This is required when incremental propagation is enabled.
I went through MIT's Troubleshooting page as well, and it said the same,
i.e. inetd can run kprop.

My inetd.conf:
krb5_prop stream tcp nowait root /usr/sbin/kpropd kpropd


2. Do we need to add Kerberos Administration Server (admin_server) for
slave KDC in krb5.conf? OR In other words, can we have more than one
admin_server properties configured in krb5.conf?

Since we are configuring a master-slave setup and can switch to a slave KDC
creating it a new master at any point of time. We would need to start a
Kerberos Administration Server (kadmind) on the new master, as well. Do we
need to have hosts for both the admin servers listed in the krb5.conf file?

I tried adding both the hosts, but it turns out that this property only
picks the last configured one.

e.g. if a krb5.conf looks like:
[realms]
KRB.MY.DOMAIN = {
kdc = old-master-host.my.domain
kdc = new-master-host.my.domain
admin_server = old-master-host.my.domain
admin_server = new-master-host.my.domain
}
[domain_realm]
..my.domain = KRB.MY.DOMAIN

In such a case, admin server would be looked only at
new-master-host.my.domain, even if it is running on
old-master-host.my.domain.


3. Can we start Kerberos Administration Server on a slave KDC machine, as
specified in MIT documentation?

I tried starting Kerberos Administration Server (kadmind) on my new master
and I got an error:
Error. This appears to be a slave server, found kpropd.acl

Is it not advisable to start the Administration server on the slave machine
or do we have to [re]move the kpropd.acl file before we can start
Administration server?

I would really appreciate any pointers or help.
Thanks in advance !

Regards,
Harman
0
HARMAN
3/22/2015 2:28:16 AM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
1128 Views

Similar Articles

[PageSpeed] 58

Reply:

Similar Artilces:

MIT Kerberos KDC & W2K Client: Changing expired password issueMIT Kerberos KDC & W2K Client: Changing expired password issue
Hi, I also experienced the same problem as William G.Zereneh (http://mailman.mit.edu/pipermail/kerberos/2004-May/005341.html). I'm able to change the password using ctrl-alt-del, but when the password is expired and windows asks me to change the password, I encountered "Domain MIT.REALM.COM is not available" error. As I sniff the packet, it noticed that it sent a CLDAP query message with filter: (&(DnsDomain = MIT.REALM.COM)(Host = myhostname)(NtVer=\006) which is returned NULL by my _ldap._tcp.dc._msdcs.REALM.MIT.COM How to resolve this problem ? maybe there's a missin...

Kerberos Slave Propagation
Hello. I am having trouble propagating my kerberos database to a slave KDC. Honestly, I don't know what I'm doing. I have, however, read absolutely every piece of documentation available. I am stuck. My master KDC and admin server are a Debian Linux machine running the MIT kerberos implementation. I installed these myself according to instructions. They work without problem. My slave KDC is a Mac OS 10.3, Panther, machine. DNS has been correctly configured for each machine. host wum.lat wum.lat has address 192.168.179.73 host 192.168.179.73 73.179.168.192.in-addr.arpa domain n...

KDC master/slave propagation
Hi all, I'm trying to setup a master/slave KDC architecture on SOLARIS 9. I' ve setup correctly the master and slave, but when I execute kprop on the master to dispatch the Kerberos DB, the latter command yields the following output: Broken Pipe In particular, if I execute kprop with truss this is what i obtain: .. .. .. close(5) = 0 read(256, " # i d e n t\t " @ ( # )".., 1024) = 1024 read(256, " o t o c o l v 2\n l d".., 1024) = 1024 read(256, " 1 3 9 / u d p\t\t\t\t #".., 1024) = 1024 read(256, &quo...

Kerberos Master Password for database
How can you verify that you have the correct password for a database that is already created? On 2006-11-18 00:45:15 +0100, "melanotus@gmail.com" <melanotus@gmail.com> said: > How can you verify that you have the correct password for a database > that is already created? Without a correct password Kerberos does not work, so if your KDCs are up and running you have the correct db password. If you remove (rename) the stash and recreate it, you may verify that your memory is good. Otherwise you remember an incorrect password. (Provided that I understand how Kerberos ...

Help on Unix kerberos client->win2k3 kerberos KDC
Hello, I am a newbie to kerberos authentication, and what I am trying to do is to use a Unix ldap client authenticate to the win2k3 server, and add a user to it. The way I tried to do is by following MIT's tutorial and sample code under www.mit.edu/afs/athena/astaff/project/ ldap/AD99/kerberossamp.txt. and I configured the Unix machine based on Microsoft tutorial http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp =========> I can successfully import a tgt from win2k3 KDC server by running kinit, here is the result: $ kdestroy $ kinitPassword for mw...

KDC Master/Slave replication and propagation
Hi all, I'm trying to setup a master/slave KDC architecture on SOLARIS 9. I' ve setup correctly the master and slave, but when I execute kprop on the master to dispatch the Kerberos DB, the latter command yields the following output: Broken Pipe In particular, if I execute kprop with truss this is what i obtain: .. .. .. close(5) = 0 read(256, " # i d e n t\t " @ ( # )".., 1024) = 1024 read(256, " o t o c o l v 2\n l d".., 1024) = 1024 read(256, " 1 3 9 / u d p\t\t\t\t #".., 1024) = 1024 read(256, "...

Kerberos & AD Setup Issue
Hi all I have been trying to setup an Kerberos and Active Directory setup, Seeing the same issue you have mentioned in you post (Preauth and ticket forwarding). I am currently not able to login to a windows machine using a kerberos user. The Kerberos Server logs show a error [NEEDED_PREAUTH: <mailto:admin@QA12.INT> admin@QA12.INT for <mailto:krbtgt/QA12.INT@QA12.INT> krbtgt/QA12.INT@QA12.INT, Additional pre-authentication required]. Error from the kerberos server: Sep 06 15:20:14 lhr-qa12 krb5kdc[8654](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 10.20.221.180: ...

how to propagate kerberos master db from behind NAT?
Dear All, I try to propagate the content of a master kerberos db to a slave kdc, and it fails with the following error: kpropd: Incorrect net address while decoding database size from client I googled for a solution in vain. I read through this list to find someone experiencing the same error message though I guess his situation is somewhat different. So I ask for a hint if someone can help me. Here is the network layout, to have host names anonymized I'll use SLAVE, MASTER, etc.: WAN ~~~ | | subnet of FQ IP addresses provided by ISP ----------------- | | SLAVE ...

Trouble authenticating with Kerberos & LDAP
I've been very frustrated trying to get this to work. We are trying to use a windows 2003 server as our Kerberos server, along with our openldap on solaris as our directory server. The machines we want to authenticate on are all Solaris 9. The ldap tree is fully populated, and working properly. With our current nsswitch.conf, logins work using the ldap directory (with posixAccount & shadowAccount records), as does a getent passwd <ldapusername>. Also, we have our Windows 2003 server's directory setup with named users, and with our current pam.conf, we can authenticate aga...

Client not found in Kerberos database while initializing kadmin interface
I get this from typing 'kadmin' on the commandline of the KDC server itself. I have my own account on there which I can log into from gkadmin. Regards, Jason. -------------------------- Jason Oakley +612 82821434 Open and Intel Systems Systems Administrator http://www.eds.com Add a dab of lavender to milk Leave town with an orange and pretend you are laughing at it ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Firefox & Proxy & Kerberos
Hi! I just want to ask if somebody got firefox working with kerberos proxy authentication? We use IronPort Proxies in our company that authenticate against the Active Directory, so every windows machine can logon to the proxy without credentials with firefox, but I dont get firefox authenticating on ubuntu 11.04 with to the proxy with a valid kerberos ticket ... Can somebody give me a hint please? regards Martin ...

kerberos propagation
hey I´m building a kerberos propagation...but after conf every thing I get this error after execute kprop -d -f prueba morena Feb 27 14:21:42 morena kpropd[3221]: Connection from 0.0.0.0 Feb 27 14:21:42 morena kpropd[3221]: kpropd: Incorrect net address while decoding database size from client someone know why? thanks ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Kerberos KDC
Hello All, I am trying to set up a Kerberos 5 KDC on my servers. I run Windows IIS 6.0 and our management does not want to use Kerberos through AD. I was wondering if anyone could help me on where to start. Thanks in advance ...

Changing master key (Kerberos authentication server+LDAP database)
Is it possible to change the master key of a realm when LDAP is used as the database server? The stash file is not present since LDAP is used. Appreciate any help on this. Thanks, Anubha ...

Web resources about - Kerberos master-slave setup : Database propagation, and KDC & KADMIN switching - comp.protocols.kerberos

Master/slave (BDSM) - Wikipedia, the free encyclopedia
In BDSM , Master/slave or M/s is a relationship in which one individual (the submissive ) gives to another (the dominant ) ultimate authority ...

'I am Christ, follow me': Slave master thought he was Jesus, former sect member says
The leader of the Marxist sect accused of holding three women in domestic slavery in London for more than 30 years controlled his followers by ...

EXCLUSIVE: Malik Zulu Shabazz Says Kill Slave Master Comments Were 'Out of Context'
... black separatist leader Malik Zulu Shabazz said that comments he made at a rally last Tuesday about completing ‘the mission’ of a freed slave ...

Spike Lee: Sterling Has ‘Mentality Of A Slave Master, Sees His Players As Slaves’
Director Spike Lee compares Donald Sterling to a slave master following the Los Angeles Clippers alleged racist comments. News, Sports, Weather, ...

Slave master becomes an abolitionist
At 7, Abdel Nasser Ould Ethmane could pick anything he wanted as a gift for his circumcision ceremony: a toy, money, a camel. He chose a dark-skinned ...

Fox's Pinkerton: Press Desperate to Preserve Their Master-Slave Relationship With White House
Click here to view this media They just can't stop themselves. This is what a panel discussion on Saturday's Fox News Watch over Chuck Todd ...

Woman Accused In Amish Girls Kidnapping 'Was In A Master-Slave Relationship,' Attorney Says
... N.Y. (AP) — A northern New York couple used a dog to lure two Amish sisters from their family farm stand with a plan to turn them into slaves, ...

Young Guru Says Major Labels Are "Slave Masters" And Artists Don't Need Them Anymore
Hip-hop producer Young Guru, the man behind Jay-Z and Kanye West, has some choice words about the record industry. In this speech, he talks about ...

A Letter from a former slave to his slave master
To My Old Master In August of 1865, a Colonel P.H. Anderson of Big Spring, Tennessee, wrote to his former slave, Jourdan Anderson, and requested ...

Slave master becomes an abolitionist
Slave master becomes an abolitionist Local 10 As a member of Mauritania's slave-owning class, Abdel Nasser Ould Ethmane could have had anything ...

Resources last updated: 1/25/2016 8:51:54 PM