[39116] in Kerberos
Help with replication
daemon@ATHENA.MIT.EDU (Bill MacAllister)
Sat Jul 16 05:04:56 2022
MIME-Version: 1.0
Date: Sat, 16 Jul 2022 02:00:04 -0700
From: Bill MacAllister <bill@ca-zephyr.org>
To: <kerberos@mit.edu>
Message-ID: <b2a9fcb0ebfe2b7b37dc5f24d4626236@ca-zephyr.org>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
I am having problems with replication on a second replica that I am
setting
up. The second replica looks like the first as far as I can tell, but
I am seeing kdb5-kpropd service failures. I can kdb5_util dump and load
the database from the master to the new replica just fine, but I am
seeing
the following errors when I start up krb5-kpropd.
2022-07-16T08:17:57.049587+00:00 kdc-iad-1 kpropd[630]:
/usr/sbin/kpropd: Key table entry not found while initializing
/usr/sbin/kpropd interface, retrying
2022-07-16T08:18:00.385533+00:00 kdc-iad-1 kpropd[630]:
/usr/sbin/kpropd: Key table entry not found while initializing
/usr/sbin/kpropd interface, retrying
The DNS entries for both that master and the slave look fine to me. The
/etc/krb5.keytab on the slave looks fine and it seems to work fine when
I use it to access other services, e.g our ldap servers.
This is a stock Ubuntu 18.04 system with krb5-kdc 1.16 installed. I
know
this is ancient at this point, but I would really like to understand
what
is happening here before I bit off an upgrade.
Here is my kdc.conf.
[kdcdefaults]
kdc_ports = 88
[realms]
MYREALM.COM = {
kdc_ports = 88
kadmind_port = 749
iprop_enable = true
iprop_port = 2121
iprop_slave_pool = 1m
database_name = /var/lib/krb5kdc/db/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
max_life = 25h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = aes256-cts-hmac-sha1-96
supported_enctypes = aes256-cts-hmac-sha1-96:normal
aes128-cts-hmac-sha1-96:normal arcfour-hmac
:normal des3-hmac-sha1:normal
default_principal_flags = +preauth
}
[logging]
kdc = FILE:/var/lib/krb5kdc/log/kdc.log
admin_server = FILE:/var/lib/krb5kdc/log/kadmin.log
What am I missing? What should I be looking at?
Bill
--
Bill MacAllister <bill@ca-zephyr.org>
"Can't sing louder than the guns when I'm gone,
so I guess I'll have to do it while I'm here."
Phil Ochs
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
