From petals@pandora.petalshome.com Tue Feb 4 11:01:15 1997 Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id LAA20940 for ; Tue, 4 Feb 1997 11:01:14 -0500 Received: from petals.vip.best.com by MIT.EDU with SMTP id AA19655; Tue, 4 Feb 97 11:01:09 EST Received: from gomer.petalshome.com (gomer [192.168.1.66]) by haedes.petalshome.com (8.6.12/8.6.9) with SMTP id VAA01925 for ; Mon, 3 Feb 1997 21:40:21 -0800 Message-Id: <199702040540.VAA01925@haedes.petalshome.com> Date: Mon, 3 Feb 1997 21:40:25 +0000 From: "Michael Robinton" Reply-To: petals@girlswear.com To: krb5-bugs@MIT.EDU Subject: Frustrated!! Is there anyone reading this mail list? Comments: Authenticated sender is >Number: 362 >Category: pending >Synopsis: Frustrated!! Is there anyone reading this mail list? >Confidential: yes >Severity: serious >Priority: medium >Responsible: tytso >State: closed >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Tue Feb 04 11:02:01 EST 1997 >Last-Modified: Fri Feb 07 15:38:15 EST 1997 >Originator: >Organization: >Release: >Environment: >Description: >How-To-Repeat: >Fix: >Audit-Trail: 2/7/97 basch Closing out this ticket because it has already been replied to and the report is a configuration question, not a bug report. From: "Theodore Y. Ts'o" To: krb5-bugs@MIT.EDU, petals@girlswear.com Cc: gnats-admin@RT-11.MIT.EDU, krb5-prs@RT-11.MIT.EDU Subject: Re: pending/362: Frustrated!! Is there anyone reading this mail list? Date: Tue, 4 Feb 1997 14:05:31 -0500 Try running the test program found in test/resolve/resolve.c. My guess is that that your name resolver code on your OS is not working correctly, so that when kprop tries to determine what name it should try to get initial tickets as (by using gethostname, and then gethostbyname and gethostbyaddr to get its fully qualified domain name), it's getting the wrong result. If this indeed is the problem, it can be fixed under Solaris by editing /etc/hosts so that in the line which has the hostname and IP address for the local host, the first hostname on that line is the fully-qualified domain name (in lower case). Other platforms may require other fixes; the surefire one is to get the real name resolver library from the BIND distribution, and link that into your Kerberos programs, thus avoiding the broken OS resolver libraries. (This won't quite work if you're using Yellow Pages or NIS, but if you are, you've got other problems --- like the fact that you're using YP or NIS. :-) The other way you can see what's going on is to look at KDC log (in krb5kdc.log) and see what principal kprop was trying to get initial tickets for when the KDC returned an error. My suspicion is that you'll find that it's because it's trying to get a ticket for host/kmaster@PETALSHOME.COM, or host/pandora@PETALSHOME.COM, or host/pandora.petalshome.com@PETALSHOME.COM, or something else indicating a failure in the your OS resolver library. (At which point see the previous paragraph for some more direct ways of diagnosing the problem.) Good luck! I hope this helps. - Ted >Unformatted: Below is the complete configuration and install sequence I used for krb5-1.0 I always get an error when trying to propagate the database to the slave kdc's using kprop/ I can't figure out what I have done wrong. I suspect that it has something to do with principal/instance@realm but I'm stumped any assistance would be appreciated ----------------------------------------- logged in as user 'root' on host pandora kmaster CNAME pandora kslave2 CNAME wormhole kslave1 CNAME knothole --------------/etc/krb5.conf------------- [libdefaults] ticket_lifetime = 600 default_realm = PETALSHOME.COM default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc [realms] PETALSHOME.COM = { kdc = kmaster.petalshome.com:88 kdc = kslave1.petalshome.com:88 kdc = kslave2.petalshome.com:88 admin_server = kmaster.petalshome.com:749 default_domain = petalshome.com } [domain_realm] .petalshome.com = PETALSHOME.COM petalshome.com = PETALSHOME.COM [kdc] profile = /usr/local/var/krb5kdc/kdc.conf [logging] kdc = FILE:/var/adm/krb5kdc.log admin_server = FILE:/var/adm/kadmin.log ------------------------------------------- -----/usr/local/var/krb5kdc/kdc.conf------- [kdcdefaults] kdc_ports = 88,750 [realms] PETALSHOME.COM = { profile = /etc/krb5.conf database_name = /usr/local/var/krb5kdc/principal admin_database_name = /usr/local/var/krb5kdc/principal.kadm5 admin_database_lockfile = /usr/local/var/krb5kdc/principal.kadm5.lock admin_keytab = /usr/local/var/krb5kdc/kadm5.keytab acl_file = /usr/local/var/krb5kdc/kadm5.acl dict_file = /usr/local/var/krb5kdc/kadm5.dict key_stash_file = /usr/local/var/krb5kdc/.k5.PETALSHOME.COM kadmind_port = 749 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des-cbc-crc supported_enctypes = des-cbc-crc:normal } -------------------------------------------- pandora:/# /usr/local/sbin/kdb5_util create -r PETALSHOME.COM -s Initializing database '/usr/local/var/krb5kdc/principal' for realm 'PETALSHOME.COM', master key name 'K/M@PETALSHOME.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: --------------kadm5.acl--------------------- root/admin@PETALSHOME.COM * sysadm/admin@PETALSHOME.COM * -------------------------------------------- pandora:/# /usr/local/sbin/kadmin.local kadmin.local: addprinc sysadm/admin@PETALSHOME.COM Enter password for principal "sysadm/admin@PETALSHOME.COM": Re-enter password for principal "sysadm/admin@PETALSHOME.COM": Principal "sysadm/@PETALSHOME.COM" created. kadmin.local: addprinc root/admin@PETALSHOME.COM Enter password for principal "root/admin@PETALSHOME.COM": Re-enter password for principal "root/admin@PETALSHOME.COM": Principal "root/@PETALSHOME.COM" created. -------------------------------------------------------- kadmin.local: ktadd -k /usr/local/var/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw Entry for principal kadmin/admin with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab. Entry for principal kadmin/changepw with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab. -------------------------------------------- /usr/local/sbin/krb5kdc /usr/local/sbin/kadmind cat /var/adm/k*.log Feb 03 09:56:34 pandora kadmind[28743](info): starting Feb 03 09:56:34 pandora krb5kdc[28741](info): commencing operation -------------------------------------------- pandora:/usr/local/var/krb5kdc# /usr/local/sbin/kadmin Enter password: kadmin: addprinc -randkey host/kmaster.petalshome.com Principal "host/kmaster.petalshome.com@PETALSHOME.COM" created. kadmin: addprinc -randkey host/kslave1.petalshome.com Principal "host/kslave1.petalshome.com@PETALSHOME.COM" created. kadmin: addprinc -randkey host/kslave2.petalshome.com Principal "host/kslave2.petalshome.com@PETALSHOME.COM" created. kadmin: ktadd host/kmaster.petalshome.com Entry for principal host/kmaster.petalshome.com with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5.keytab. kadmin: q -------------------------------------------- ---user 'root' on kslave2 CNAME wormhole------------- kadmin: ktadd host/kslave2.petalshome.com Entry for principal host/kslave2.petalshome.com with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5.keytab. kadmin: q -------------------------------------------- ---------added to each inetd.conf----------- krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd eklogin stream tcp nowait root /usr/local/sbin/klogind klogind -k -c -e kill -HUP (pid of inetd all kdc's) -------------------------------------------- ---user 'root' on kmaster CNAME pandora-------------- /usr/local/sbin/kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans /usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans kslave2.petalshome.com /usr/local/sbin/kprop: Client not found in Kerberos database while getting initial ticket -------------------------------------------- -----just for information------ kadmin: getprincs K/M@PETALSHOME.COM sysadm/admin@PETALSHOME.COM krbtgt/PETALSHOME.COM@PETALSHOME.COM root/admin@PETALSHOME.COM kadmin/admin@PETALSHOME.COM host/kslave2.petalhome.com@PETALSHOME.COM kadmin/changepw@PETALSHOME.COM host/kmaster.petalshome.com@PETALSHOME.COM host/kslave1.petalshome.com@PETALSHOME.COM host/kslave2.petalshome.com@PETALSHOME.COM kadmin/history@PETALSHOME.COM ------------------------------------------ Thanks for any help Michael ---------------------------------------------------- See Petals' new web page at http://www.girlswear.com for Pretty little girls wearing distinctive clothing and accessories