f



Kerberos Slave Propagation

Hello. I am having trouble propagating my kerberos database to a slave 
KDC. Honestly, I don't know what I'm doing. I have, however, read 
absolutely every piece of documentation available. I am stuck.

My master KDC and admin server are a Debian Linux machine running the 
MIT kerberos implementation. I installed these myself according to 
instructions. They work without problem. My slave KDC is a Mac OS 10.3, 
Panther, machine.

DNS has been correctly configured for each machine.

host wum.lat
wum.lat has address 192.168.179.73

host 192.168.179.73
73.179.168.192.in-addr.arpa domain name pointer wum.lat.

host sil.fis.lat
sil.fis.lat has address 192.168.179.43

host 192.168.179.43
43.179.168.192.in-addr.arpa domain name pointer sil.fis.lat.

/etc/krb5.conf on the Linux machine and 
/Library/Preferences/edu.mit.Kerberos on the Panther machine have been 
correctly configured.

[libdefaults]
         default_realm = LAT

[realms]
         LAT = {
                 kdc = wum.lat
                 kdc = sil.fis.lat
                 admin_server = wum.lat
         }

The principals host/wum.lat and host/sil.fis.lat have been added to the 
database. Using kadmin, I extracted the principal host/wum.lat on 
wum.lat and the principal host/sil.fis.lat on sil.fis.lat.

On the Panther machine, I created /var/db/krb5kdc/kpropd.acl.

host/wum.lat@LAT
host/sil.fis.lat@LAT

I also created /etc/xinetd.d/krb5_prop.

service krb5_prop
{
         disable = no
         socket_type     = stream
         wait            = no
         user            = root
         server          = /usr/sbin/kpropd
         groups          = yes
         flags           = REUSE
}

Finally, I added krb5_prop 754/tcp to /etc/services.

On the Linux machine, I ran kdb5_util dump 
/var/lib/krb5kdc/slave_datatrans. Running kprop sil.fis.lat, however, 
fails.

kprop: Server rejected authentication (during sendauth exchange) while 
authenticating to server
Generic remote error: Wrong principal in request

I have rechecked every step. I followed the instructions exactly, 
except that I haven't setup klogind on Panther. klogind is not included 
with the kerberos distribution for Panther.

What is the problem?

Thanks,

Jack

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
ms419 (17)
12/23/2003 8:19:40 AM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

2 Replies
504 Views

Similar Articles

[PageSpeed] 51

Hello!
<ms419@freezone.co.uk> wrote in message
news:21CCFD05-351C-11D8-BAA9-000A95C71776@freezone.co.uk...
> Hello. I am having trouble propagating my kerberos database to a slave
> KDC. Honestly, I don't know what I'm doing. I have, however, read
> absolutely every piece of documentation available. I am stuck.
>
> My master KDC and admin server are a Debian Linux machine running the
> MIT kerberos implementation. I installed these myself according to
> instructions. They work without problem. My slave KDC is a Mac OS 10.3,
> Panther, machine.
>
> DNS has been correctly configured for each machine.
>
> host wum.lat
> wum.lat has address 192.168.179.73
>
> host 192.168.179.73
> 73.179.168.192.in-addr.arpa domain name pointer wum.lat.
>
> host sil.fis.lat
> sil.fis.lat has address 192.168.179.43
>
> host 192.168.179.43
> 43.179.168.192.in-addr.arpa domain name pointer sil.fis.lat.
>
> /etc/krb5.conf on the Linux machine and
> /Library/Preferences/edu.mit.Kerberos on the Panther machine have been
> correctly configured.
>
> [libdefaults]
>          default_realm = LAT
>
> [realms]
>          LAT = {
>                  kdc = wum.lat
>                  kdc = sil.fis.lat
>                  admin_server = wum.lat
>          }
>
IMHO, you need to add the correct [domain_realm] section to krb5.conf file.
Try to add it on either or both master and slave servers.
An example:
[domain_realm]
    .fis.lat = LAT
    fis.lat = LAT

I've suffered such a problem. Doing that I've got a working propagation.
Usually your log files contain detailed description of actions you are
making.
Particularly, the full principal's names which your servers trying to
construct laying to your system configuration.

Check your krb5.keytab file on the slave server too.

> The principals host/wum.lat and host/sil.fis.lat have been added to the
> database. Using kadmin, I extracted the principal host/wum.lat on
> wum.lat and the principal host/sil.fis.lat on sil.fis.lat.
>
> On the Panther machine, I created /var/db/krb5kdc/kpropd.acl.
>
> host/wum.lat@LAT
> host/sil.fis.lat@LAT
>
> I also created /etc/xinetd.d/krb5_prop.
>
> service krb5_prop
> {
>          disable = no
>          socket_type     = stream
>          wait            = no
>          user            = root
>          server          = /usr/sbin/kpropd
>          groups          = yes
>          flags           = REUSE
> }
>
> Finally, I added krb5_prop 754/tcp to /etc/services.
>
> On the Linux machine, I ran kdb5_util dump
> /var/lib/krb5kdc/slave_datatrans. Running kprop sil.fis.lat, however,
> fails.
>
> kprop: Server rejected authentication (during sendauth exchange) while
> authenticating to server
> Generic remote error: Wrong principal in request
>
> I have rechecked every step. I followed the instructions exactly,
> except that I haven't setup klogind on Panther. klogind is not included
> with the kerberos distribution for Panther.
>
> What is the problem?
>
> Thanks,
>
> Jack
>

Best regards Illia Baidakov.


0
illia (9)
12/23/2003 10:15:24 AM
I'd look at your KDC log and see what principal it is trying to
authenticate from and to.
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
hartmans (370)
12/23/2003 6:05:02 PM
Reply:

Similar Artilces:

MIT Kerberos or Heimdal Kerberos?
Hi, How do I know the server install in the system is MIT Kerberos or Heimdal? I m using FreeBSD 5.2.1 Thanks sam ...

kerberos propagation
hey I´m building a kerberos propagation...but after conf every thing I get this error after execute kprop -d -f prueba morena Feb 27 14:21:42 morena kpropd[3221]: Connection from 0.0.0.0 Feb 27 14:21:42 morena kpropd[3221]: kpropd: Incorrect net address while decoding database size from client someone know why? thanks ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Kerberos master-slave setup : Database propagation, and KDC & KADMIN switching
I am trying to setup Kerberos on Redhat with slaves and database propagation (not incremental). I am going through MIT's documentation for KDC installation and configuration. Currently, I have three doubts/issues: 1. Do we need kpropd running on slave KDC, even if we do not have incremental propagation ? I started xinetd service, and tried propagating database (without starting kpropd, as I have not configured incremental propagation), and it gave me an error: kprop: Connection refused while connecting to server However, when I started kpropd in the same setup without any co...

migration from Kerberos 4 to Kerberos 5
Hello, I have a few questions about migration to a new Kerberos version. In fact, the goal is to migrate a network with Kerberos 4 to the Kerberos 5(under Lin8x): 1) Do I have to reinstall Kerberos from the scratch or are there packages that allow to update the version? 2) What about the users that I created, are they still valid or will user information be lost. Part of the network uses already an LDAP directory, do I suppose this will not be a problem for this part, but in general, how can I migrate my user-accounts to the new version? 3) What about the clients, do I have to re-install the Kerberos-client on each workstation or can I use the "old" Kerberos clients? Could anybody answer my questions and perhaps give me some good hints for the migration respectively point me to some good documents? Thanx, CB ...

MIT Kerberos and Solaris 10 Kerberos
Greetings, everyone. We run a number of Solaris 8 systems using Sun's SEAM PAM implementation and MIT's Kerberos (which we're up to date on). We are starting to look at Solaris 10, and are hoping to move towards Sun's implementation of Kerberos. We are having a bit of trouble getting the two to talk properly, however. If we SSH (from production to test, for example) to a Solaris 8 machine, then we can rlogin (Kerberized) to the Solaris 10 machine and, from there, rlogin to a Sol8 machine again. If, however, we SSH directly to the Solaris 10 machine, we cannot rlogin to a Solaris 8 machine. Doing various experiments (for example, trying to ksu on the Sol 10 machine), the only error we ever get is: ksu WARNING: Your password may be exposed if you enter it here and are logged in remotely using an unsecure (non-encrypted) channel. Kerberos password for ux5p@ATCOTEST.CA: : ksu: Server not found in Kerberos database while geting credentials from kdc Authentication failed. Doing an rlogin to a Sol 8 machine gives no errors at all; it just quietly fails. The above error seems to indicate that the Solaris 10 Kerberos isn't passing the tickets to the Sol 8/MIT Kerberos servers (which, based upon certain differences, would not be a big surprise). Has anyone gotten this to work? The Sol 10 system is using the default Solaris 10 PAM implementation as well; not sure if this is part of the problem, but the configuration files are significantly different. Th...

FTP and Kerberos
Hi, I get the following Kerberos related error when i do FTP from another machine(redhat 9.0) to my machine(redhat 9.0). How to solve this problem ? Should i Need to start/stop some daemons ? here is what happens when i do FTP !!! --------->>>>>>>>> Here is it .....>>>> Connected to 107.108.89.173. 220 localhost.localdomain FTP server (Version 5.60) ready. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI error major: Miscellaneous failure GSSAPI error minor: No credentials cache found GSSAPI error: in...

kerberos
Hi, I've seen a number of posts regarding similar issues, but none with answers.. maybe i'll be lucky... Trying to join a Linux samba box to a Win2k Domain via ADS.. Have used 'net join -U administrator%password' then get a list of errors about 20 lines long similar to this. "kerberos_knit_password fedora$@domain.com failed: Client not found in Kerberos database" But, it *does* join the domain and I can see and use the share.... Is there anything to worry about?? TIA, travelfurther.. ...

Kerberos Administration Protocol
Hi, I'm looking for an open source Java implementation for the Kerberos administration protocol, for changing password, getprinc, delete_principal and so on. The main goals for kadmin, for the MIT implementation. Are there any libraries? If no, I would try to do an adHoc implementation. Are there documents? The only draft that I can see is http://tools.ietf.org/html/draft-ietf-cat-kerb-chg-password-00 Thanks, Massimiliano > Date: Tue, 02 Jun 2009 15:28:32 +0200 > To: kerberos@mit.edu > From: "max@mascanc.net" <max@mascanc.net> > Subject: Kerberos Administration Protocol > > Hi, > > I'm looking for an open source Java implementation for the Kerberos > administration protocol, for changing password, getprinc, > delete_principal and so on. The main goals for kadmin, for > the MIT implementation. > > Are there any libraries? > > If no, I would try to do an adHoc implementation. Are there > documents? The only draft that I can see is > > http://tools.ietf.org/html/draft-ietf-cat-kerb-chg-password-00 > > Thanks, > > > Massimiliano As it happens, I do have something that might be the start at this. It could stand a bit more "polishing" before being released, and at the moment, it's not on our priority list. If this is something of interest to you, we should certainly talk. You won't be at afsbpw 2009, by any chance? What I have ...

Kerberos Decrypted
http://www.digg.com/security/Kerberos_Decrypted ...

Replacing the system Kerberos with MIT Kerberos (from ports)
Is there a way to replace the Heimdal Kerberos libraries included in the FreeBSD base system with the MIT Kerberos libraries installed from the security/krb5 port? I know about the KRB5_HOME make option. I'm concerned about other "Kerberized" applications not working properly because they use the wrong client libraries, hence my desire to completely replace Heimdal with MIT Kerberos. The Heimdal Kerberos libraries shipped with the FreeBSD base system don't support TCP, so when a KDC replies to a client request with a response larger than the maximum UDP packet size, the Kerberos libraries return an error to the client instead of switching to TCP (which can handle large responses). I routinely encounter this problem when integrating FreeBSD servers and workstations into Windows Active Directory domains, where the KDC responses include additional authorization data derived from a security principal's group memberships: Samba's "net ads join" command fails with a "response too big for for UDP, retry with TCP" error when linked against Heimdal, but it succeeds (and everything else works properly) when linked against MIT Kerberos. (Note that I'm not willing to debate the semi-standard/non-standard inclusion of authorization data in a Kerberos ticket's PAC, nor am I willing to argue the applicability of the aforementioned operating systems to their assigned tasks.) Best wishes, Matthew ...

Kerberos
Hello, I read on the ibm site that KRB5A authentication is only supported on 5.2. We are currently runnin 5.1 and have an MCA based machine so there is no chance in upgrading to 5.2. Is there an open-source kerberos package for AIX, and how would you go about installing it. Any help would be greatly appreciated. Rich ...

RE: MIT Kerberos and Solaris 10 Kerberos
Greetings, and thanks for the response. > > We run a number of Solaris 8 systems using Sun's SEAM PAM > implementation > > and MIT's Kerberos (which we're up to date on). We are > starting to look > > at Solaris 10, and are hoping to move towards Sun's > implementation of > > Kerberos. We are having a bit of trouble getting the two to talk > > properly, however. > > I'm confused - you cannot use the Solaris pam_krb5 with MIT Kerberos. > It is linked directly with the Solaris Kerberos libraries (private). I am trying to get the Solaris Kerberos (SEAM) on the Sol 10 system to talk to the MIT Kerberos on the KDC and other Solaris 8/MIT systems. > Solaris 10 Kerberos interops very well with MIT, Heimdal, and > Microsoft. > It has support for all of the enctypes (AES, RC4, 3DES, DES) finally. But I can't seem to get it to work. > > If we SSH (from production to test, for example) to a > Solaris 8 machine, > > then we can rlogin (Kerberized) to the Solaris 10 machine and, from > > there, rlogin to a Sol8 machine again. If, however, we SSH > directly to > > the Solaris 10 machine, we cannot rlogin to a Solaris 8 > machine. Doing > > various experiments (for example, trying to ksu on the Sol > 10 machine), > > the only error we ever get is: > > > > ksu > > WARNING: Your password may be exposed if you enter it here and are &g...

Kerberos?
Who's using Kerberos authentication? Any pointers to procedure or documentation will be appreciated! Hi James, Not Me! But have a look at Doc 317141. That explains it in some more detail than the normal manual. Martin Bowes > Who's using Kerberos authentication? Any pointers to procedure > or documentation will be appreciated! > _______________________________________________ > Info-ingres mailing list > Info-ingres@cariboulake.com > http://mailman.cariboulake.com/mailman/listinfo.py/info-ingres > James Latimer wrote: > Who's using Kerberos authentication? Any pointers to procedure > or documentation will be appreciated! me neither, but this Chapter 13 may be of use: http://downloads.ingres.com/download/connect.pdf ...

OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos
Rather then implementing kafs in MIT Kerberos, I would like to suggest an alternative which has advantages to all parties. The OpenSSH sshd needs to do two things: (1) sets a PAG in the kernel, (2) obtains an AFS token storing it in the kernel. It can use the Kerberos credentials either obtained via GSSAPI delegation, PAM or other kerberos login code in the sshd. The above two actions can be accomplished by a separate process, which can be forked and execd by the sshd and passed the environment which may have a KREB5CCNAME pointing at the Kerberos ticket cache Other parameters such as the home directory could also be passed. This would then allow simple code in OpenSSH that does not depend on OpenAFS, Hiemdal or MIT code to fork/exec the process that does all the work. This would be called by the process that would eventially become the user's shell process and is run as the user. OpenSSH could be built on systems that may or may not have AFS installed and run on a system with or without AFS. The decision is based on the existence of the executable and any options in sshd_config. In its simplest form, all that is needed is: system("/usr/ssh/libexec/aklog -setpag") This is a little over simplified as there should be a test if the executable exists, processing of some return codes, making sure the environment is set, setting some time limit. etc. But the point is there is no compile dependence on OpenAFS, MIT or Hiemdal by the Op...

kerberos?
Is anyone out there using kerberos authentication with their NonStop hosts? Between this and ssh, I am having trouble keeping up! Thanks in advance. ...

kerberos
Hi I have kerberos server setup, and it works fine with iseries navigator, I have to create a AS400 object now using Java and kerberos ticket, has any one done it successfully, does anyone have any code sample "polilop" <fmatosicSKINI@inet.hr> burped up warm pablum in news:fr3i5a$sn6$1@ss408.t-com.hr: > Hi > I have kerberos server setup, and it works fine with > iseries navigator, I have to create a AS400 object now > using Java and kerberos ticket, has any one done it > successfully, does anyone have any code sample You should read: http://publib.boulder...

Kerberos Decrypted
http://www.digg.com/security/Kerberos_Decrypted ...

Kerberos
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

FW: MIT Kerberos and Solaris 10 Kerberos
Sorry, I accidentally sent this reply just to Wyllys. In the interest of keeping the thread complete, I'll put it to the list as well. R > That's because Solaris 10 'kadmin' uses RPCSEC_GSS and > MIT uses a slightly different RPC protocol. This is not a new > issue, its been a problem ever since we introduced SEAM. > > The solution is that if your KDC is MIT, then you must use the MIT > 'kadmin' client to manage it. OK, thanks. So, I'll have to keep the MIT binaries around as well... Rainer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Win2K as Kerberos SLAVE
Does anyone know how to configure a Windows 2000 Server machine to act as a slave for an MIT Kerberos 1.2.4 realm? I don't think there's an internal mechanism to do this, so I'm taking into account 3rd party tools or even an MIT or Heimdal server. If need be, I can upgrade the Kerberos running on the Linux side. Besides posting a reply to the forum, please send an e-mail to: p[snip this out]wojcick@artemis.wszib.edu[cut this too].pl Thank you in advance. Paul Wojcicki WSZiB ...

Kerberos Propagation question
Hi, A colleague asked recently if KDC's could replicate more frequently, his suggestion was every 3 minutes. That seemed as though it could have adverse effects on the KDC's but i couldn't find anything in the docs on a best practice for how frequently / infrequently to replicate the database. I seem to recall that propagation locks the DB, but I wasn't able to find a reference to it. (I could have made it up..., or maybe I just didn't see it in the docs) Would pushing the database out that frequently be problematic? Besides increased load on the system could that have adverse effect on admin's working on the database? Thanks for the help! ...

Kerberos propagation problem
Hi, I have a problem with kerberos propagation. I propagate changes to the kerberos database from the master server to 2 slave servers. Without having made any changes to the database the propagation to one host fails since 2AM. Hence my question: How can I debug the propagation? Thanks Didi By checking the return value of the propagation script, I found out that it was a time skew issue. Sorry for disturbing. Didi Dieter Schicker wrote: > Hi, > > I have a problem with kerberos propagation. I propagate changes to the > kerberos database from the master server to 2 slave servers. Without > having made any changes to the database the propagation to one host > fails since 2AM. Hence my question: How can I debug the propagation? > > Thanks > Didi ...

RE: MIT Kerberos and Solaris 10 Kerberos #4
Thanks. We'll have to keep our eyes open for 5-1.4. Rainer > -----Original Message----- > From: Tom Yu [mailto:tlyu@mit.edu] > Sent: Tuesday, January 11, 2005 11:12 AM > To: Wyllys Ingersoll > Cc: Heilke, Rainer; kerberos@mit.edu > Subject: Re: MIT Kerberos and Solaris 10 Kerberos > > > >>>>> "Wyllys" == Wyllys Ingersoll <wyllys.ingersoll@sun.com> writes: > > Wyllys> That's because Solaris 10 'kadmin' uses RPCSEC_GSS and > Wyllys> MIT uses a slightly different RPC protocol. > > [...] > > Wyllys> There have been patches submitted to the MIT codebase to make > Wyllys> it able to support RPCSEC_GSS (and thus interop with > Solaris kadmin), > Wyllys> but Im not sure if those are in the latest release or not. > > RPCSEC_GSS support will be present in krb5-1.4 (currently in beta). I > have done a brief successful interop test against SEAM's kadmin > protocol. Independent confirmation would be useful. > > ---Tom > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

RE: MIT Kerberos and Solaris 10 Kerberos #3
Thanks for the response. Please see inline... > In Solaris 10, all of the Kerberos services are already bundled, > there is no longer any external packages that need to be added. Right. > Whoever told you 'ksu' was part of the encryption kit was mistaken, > ksu has never been part of SEAM. OK, thanks for that clarification. It was a bit of a surprise to me when I was told it was there. So, does the Solaris 10 SEAM have any functionality similar to ksu, or just the standard su command? > The encryption kit for Solaris 10 enhances the overall crypto > capabilities of the system, the only benefit Kerberos gets is > that it can support AES-256 with the S10 encryption kit. > Without the S10 encryption kit, the strongest AES crypto > available for Kerberos in S10 is AES-128. And this fits more with what I understood, before my co-worker's comments. > On the S10 system, you must make sure to enable the "eklogin" service. > Run this command (as root): > > # svcadm enable eklogin Hmm. That may be a good part of my problem. I added the inetd.conf entry for the old (MIT) eklogin, and ran inetconv. So, this is probably really confusing the system. I'll try to revert that, and do the svcadm. > For Solaris 8 with the SEAM rlogin daemon, make sure your > inetd.conf entries > are correct. We don't actually run SEAM on any Sol8 systems; it's all MIT. > Don't bother with inetd.conf in S10, ...

Web resources about - Kerberos Slave Propagation - comp.protocols.kerberos

Propagation of grapevines - Wikipedia, the free encyclopedia
The propagation of grapevines is an important consideration in commercial viticulture and winemaking . Grapevines, most of which belong to the ...

Russia outlaws 'propagation' of homosexuality
Russian President Vladimir Putin has signed a law fining people who ''propagate'' homosexuality to children, a day after dozens of people were ...

New Economic Thinking, Hicks-Hansen-Wicksell Macro, and Blocking the Back Propagation Induction-Unraveling ...
[**Over at Equitable Growth**][10]: [In the *long run*... when the storm is long past, the ocean is flat again.][1] At that timeor, rather, in ...

Regional propagation of business cycles
can take on, making such inference completely infeasible in practice, even though with vector notation it seems easy enough to write down the ...

MONITOR: Security through viral propagation - The Economist
IN THE security industry today, one part is decidedly sexier than the other. The sexy part deals with digital security, which includes everything ...

TV Going the Distance: Propagation
... distant signals) has to wait for local stations to go silent or listen on frequencies where there are no local stations. Basic Radio Propagation ...

Tiger lilies make propagation easy
Q: What are the things that look like mini black snails sitting in the junction of each leaf on my lily? T.M., Houston A: The curious black ...

Data Mining Reveals How Wording Influences Tweet Propagation — The Physics arXiv Blog — Medium
If you’ve ever painstakingly crafted a tweet in the hope it would be retweeted around the world, only to find it flopped…

Black Sheep Dres – Propagation
On his new track “Propagation” the OG Black Sheep Dres schools his son, and in turn anybody else who might be listening, on the complexities ...

Redistribution of energy available for ocean mixing by long-range propagation of internal waves : Abstract ...
Nature is the international weekly journal of science: a magazine style journal that publishes full-length research papers in all disciplines ...

Resources last updated: 3/10/2016 3:14:25 PM