From petals@pandora.petalshome.com Tue Feb 4 11:01:15 1997
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id LAA20940 for <bugs@RT-11.MIT.EDU>; Tue, 4 Feb 1997 11:01:14 -0500
Received: from petals.vip.best.com by MIT.EDU with SMTP
id AA19655; Tue, 4 Feb 97 11:01:09 EST
Received: from gomer.petalshome.com (gomer [192.168.1.66]) by haedes.petalshome.com (8.6.12/8.6.9) with SMTP id VAA01925 for <krb5-bugs@mit.edu>; Mon, 3 Feb 1997 21:40:21 -0800
Message-Id: <199702040540.VAA01925@haedes.petalshome.com>
Date: Mon, 3 Feb 1997 21:40:25 +0000
From: "Michael Robinton" <petals@girlswear.com>
Reply-To: petals@girlswear.com
To: krb5-bugs@MIT.EDU
Subject: Frustrated!! Is there anyone reading this mail list?
Comments: Authenticated sender is <petals@pandora>
2/7/97 basch
Closing out this ticket because it has already been replied to and the
report is a configuration question, not a bug report.
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: krb5-bugs@MIT.EDU, petals@girlswear.com
Cc: gnats-admin@RT-11.MIT.EDU, krb5-prs@RT-11.MIT.EDU
Subject: Re: pending/362: Frustrated!! Is there anyone reading this mail list?
Date: Tue, 4 Feb 1997 14:05:31 -0500
Try running the test program found in test/resolve/resolve.c. My guess
is that that your name resolver code on your OS is not working
correctly, so that when kprop tries to determine what name it should try
to get initial tickets as (by using gethostname, and then gethostbyname
and gethostbyaddr to get its fully qualified domain name), it's getting
the wrong result.
If this indeed is the problem, it can be fixed under Solaris by editing
/etc/hosts so that in the line which has the hostname and IP address for
the local host, the first hostname on that line is the fully-qualified
domain name (in lower case). Other platforms may require other fixes;
the surefire one is to get the real name resolver library from the BIND
distribution, and link that into your Kerberos programs, thus avoiding
the broken OS resolver libraries. (This won't quite work if you're
using Yellow Pages or NIS, but if you are, you've got other problems ---
like the fact that you're using YP or NIS. :-)
The other way you can see what's going on is to look at KDC log (in
krb5kdc.log) and see what principal kprop was trying to get initial
tickets for when the KDC returned an error. My suspicion is that you'll
find that it's because it's trying to get a ticket for
host/kmaster@PETALSHOME.COM, or host/pandora@PETALSHOME.COM, or
host/pandora.petalshome.com@PETALSHOME.COM, or something else indicating
a failure in the your OS resolver library. (At which point see the
previous paragraph for some more direct ways of diagnosing the problem.)
Good luck! I hope this helps.
- Ted
sequence I used for krb5-1.0
I always get an error when trying to propagate
the database to the slave kdc's using kprop/
I can't figure out what I have done wrong.
I suspect that it has something to do with
principal/instance@realm but I'm stumped
any assistance would be appreciated
-----------------------------------------
logged in as user 'root' on host pandora
kmaster CNAME pandora
kslave2 CNAME wormhole
kslave1 CNAME knothole
--------------/etc/krb5.conf-------------
[libdefaults]
ticket_lifetime = 600
default_realm = PETALSHOME.COM
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
[realms]
PETALSHOME.COM = {
kdc = kmaster.petalshome.com:88
kdc = kslave1.petalshome.com:88
kdc = kslave2.petalshome.com:88
admin_server = kmaster.petalshome.com:749
default_domain = petalshome.com
}
[domain_realm]
.petalshome.com = PETALSHOME.COM
petalshome.com = PETALSHOME.COM
[kdc]
profile = /usr/local/var/krb5kdc/kdc.conf
[logging]
kdc = FILE:/var/adm/krb5kdc.log
admin_server = FILE:/var/adm/kadmin.log
-------------------------------------------
-----/usr/local/var/krb5kdc/kdc.conf-------
[kdcdefaults]
kdc_ports = 88,750
[realms]
PETALSHOME.COM = {
profile = /etc/krb5.conf
database_name = /usr/local/var/krb5kdc/principal
admin_database_name = /usr/local/var/krb5kdc/principal.kadm5
admin_database_lockfile =
/usr/local/var/krb5kdc/principal.kadm5.lock admin_keytab =
/usr/local/var/krb5kdc/kadm5.keytab acl_file =
/usr/local/var/krb5kdc/kadm5.acl dict_file =
/usr/local/var/krb5kdc/kadm5.dict key_stash_file =
/usr/local/var/krb5kdc/.k5.PETALSHOME.COM kadmind_port = 749
max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s
master_key_type = des-cbc-crc supported_enctypes =
des-cbc-crc:normal
}
--------------------------------------------
pandora:/# /usr/local/sbin/kdb5_util create -r PETALSHOME.COM -s
Initializing database '/usr/local/var/krb5kdc/principal' for realm
'PETALSHOME.COM', master key name 'K/M@PETALSHOME.COM' You will be
prompted for the database Master Password. It is important that you
NOT FORGET this password. Enter KDC database master key: Re-enter KDC
database master key to verify:
--------------kadm5.acl--------------------- root/admin@PETALSHOME.COM
* sysadm/admin@PETALSHOME.COM *
-------------------------------------------- pandora:/#
/usr/local/sbin/kadmin.local kadmin.local: addprinc
sysadm/admin@PETALSHOME.COM Enter password for principal
"sysadm/admin@PETALSHOME.COM": Re-enter password for principal
"sysadm/admin@PETALSHOME.COM": Principal "sysadm/@PETALSHOME.COM"
created. kadmin.local: addprinc root/admin@PETALSHOME.COM Enter
password for principal "root/admin@PETALSHOME.COM": Re-enter password
for principal "root/admin@PETALSHOME.COM": Principal
"root/@PETALSHOME.COM" created.
-------------------------------------------------------- kadmin.local:
ktadd -k /usr/local/var/krb5kdc/kadm5.keytab kadmin/admin
kadmin/changepw Entry for principal kadmin/admin with kvno 3,
encryption type DES-CBC-CRC added to keytab
WRFILE:/usr/local/var/krb5kdc/kadm5.keytab. Entry for principal
kadmin/changepw with kvno 3, encryption type DES-CBC-CRC added to
keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
-------------------------------------------- /usr/local/sbin/krb5kdc
/usr/local/sbin/kadmind cat /var/adm/k*.log Feb 03 09:56:34 pandora
kadmind[28743](info): starting Feb 03 09:56:34 pandora
krb5kdc[28741](info): commencing operation
--------------------------------------------
pandora:/usr/local/var/krb5kdc# /usr/local/sbin/kadmin Enter password:
kadmin: addprinc -randkey host/kmaster.petalshome.com
Principal "host/kmaster.petalshome.com@PETALSHOME.COM" created.
kadmin: addprinc -randkey host/kslave1.petalshome.com Principal
"host/kslave1.petalshome.com@PETALSHOME.COM" created. kadmin:
addprinc -randkey host/kslave2.petalshome.com Principal
"host/kslave2.petalshome.com@PETALSHOME.COM" created.
kadmin: ktadd host/kmaster.petalshome.com
Entry for principal host/kmaster.petalshome.com with kvno 3,
encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5.keytab.
kadmin: q -------------------------------------------- ---user 'root'
on kslave2 CNAME wormhole------------- kadmin: ktadd
host/kslave2.petalshome.com Entry for principal
host/kslave2.petalshome.com with kvno 3, encryption type DES-CBC-CRC
added to keytab WRFILE:/etc/krb5.keytab. kadmin: q
-------------------------------------------- ---------added to each
inetd.conf----------- krb5_prop stream tcp nowait root
/usr/local/sbin/kpropd kpropd eklogin stream tcp nowait root
/usr/local/sbin/klogind klogind -k -c -e
kill -HUP (pid of inetd all kdc's)
--------------------------------------------
---user 'root' on kmaster CNAME pandora--------------
/usr/local/sbin/kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans
/usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans
kslave2.petalshome.com /usr/local/sbin/kprop: Client not found in
Kerberos database while getting initial ticket
-------------------------------------------- -----just for
information------ kadmin: getprincs K/M@PETALSHOME.COM
sysadm/admin@PETALSHOME.COM krbtgt/PETALSHOME.COM@PETALSHOME.COM
root/admin@PETALSHOME.COM kadmin/admin@PETALSHOME.COM
host/kslave2.petalhome.com@PETALSHOME.COM
kadmin/changepw@PETALSHOME.COM
host/kmaster.petalshome.com@PETALSHOME.COM
host/kslave1.petalshome.com@PETALSHOME.COM
host/kslave2.petalshome.com@PETALSHOME.COM
kadmin/history@PETALSHOME.COM
------------------------------------------
Thanks for any help
Michael
----------------------------------------------------
See Petals' new web page at http://www.girlswear.com
for Pretty little girls wearing
distinctive clothing and accessories
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id LAA20940 for <bugs@RT-11.MIT.EDU>; Tue, 4 Feb 1997 11:01:14 -0500
Received: from petals.vip.best.com by MIT.EDU with SMTP
id AA19655; Tue, 4 Feb 97 11:01:09 EST
Received: from gomer.petalshome.com (gomer [192.168.1.66]) by haedes.petalshome.com (8.6.12/8.6.9) with SMTP id VAA01925 for <krb5-bugs@mit.edu>; Mon, 3 Feb 1997 21:40:21 -0800
Message-Id: <199702040540.VAA01925@haedes.petalshome.com>
Date: Mon, 3 Feb 1997 21:40:25 +0000
From: "Michael Robinton" <petals@girlswear.com>
Reply-To: petals@girlswear.com
To: krb5-bugs@MIT.EDU
Subject: Frustrated!! Is there anyone reading this mail list?
Comments: Authenticated sender is <petals@pandora>
Show quoted text
>Number: 362
>Category: pending
>Synopsis: Frustrated!! Is there anyone reading this mail list?
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: tytso
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Feb 04 11:02:01 EST 1997
>Last-Modified: Fri Feb 07 15:38:15 EST 1997
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Category: pending
>Synopsis: Frustrated!! Is there anyone reading this mail list?
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: tytso
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Feb 04 11:02:01 EST 1997
>Last-Modified: Fri Feb 07 15:38:15 EST 1997
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
2/7/97 basch
Closing out this ticket because it has already been replied to and the
report is a configuration question, not a bug report.
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: krb5-bugs@MIT.EDU, petals@girlswear.com
Cc: gnats-admin@RT-11.MIT.EDU, krb5-prs@RT-11.MIT.EDU
Subject: Re: pending/362: Frustrated!! Is there anyone reading this mail list?
Date: Tue, 4 Feb 1997 14:05:31 -0500
Try running the test program found in test/resolve/resolve.c. My guess
is that that your name resolver code on your OS is not working
correctly, so that when kprop tries to determine what name it should try
to get initial tickets as (by using gethostname, and then gethostbyname
and gethostbyaddr to get its fully qualified domain name), it's getting
the wrong result.
If this indeed is the problem, it can be fixed under Solaris by editing
/etc/hosts so that in the line which has the hostname and IP address for
the local host, the first hostname on that line is the fully-qualified
domain name (in lower case). Other platforms may require other fixes;
the surefire one is to get the real name resolver library from the BIND
distribution, and link that into your Kerberos programs, thus avoiding
the broken OS resolver libraries. (This won't quite work if you're
using Yellow Pages or NIS, but if you are, you've got other problems ---
like the fact that you're using YP or NIS. :-)
The other way you can see what's going on is to look at KDC log (in
krb5kdc.log) and see what principal kprop was trying to get initial
tickets for when the KDC returned an error. My suspicion is that you'll
find that it's because it's trying to get a ticket for
host/kmaster@PETALSHOME.COM, or host/pandora@PETALSHOME.COM, or
host/pandora.petalshome.com@PETALSHOME.COM, or something else indicating
a failure in the your OS resolver library. (At which point see the
previous paragraph for some more direct ways of diagnosing the problem.)
Good luck! I hope this helps.
- Ted
Show quoted text
>Unformatted:
Below is the complete configuration and installsequence I used for krb5-1.0
I always get an error when trying to propagate
the database to the slave kdc's using kprop/
I can't figure out what I have done wrong.
I suspect that it has something to do with
principal/instance@realm but I'm stumped
any assistance would be appreciated
-----------------------------------------
logged in as user 'root' on host pandora
kmaster CNAME pandora
kslave2 CNAME wormhole
kslave1 CNAME knothole
--------------/etc/krb5.conf-------------
[libdefaults]
ticket_lifetime = 600
default_realm = PETALSHOME.COM
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
[realms]
PETALSHOME.COM = {
kdc = kmaster.petalshome.com:88
kdc = kslave1.petalshome.com:88
kdc = kslave2.petalshome.com:88
admin_server = kmaster.petalshome.com:749
default_domain = petalshome.com
}
[domain_realm]
.petalshome.com = PETALSHOME.COM
petalshome.com = PETALSHOME.COM
[kdc]
profile = /usr/local/var/krb5kdc/kdc.conf
[logging]
kdc = FILE:/var/adm/krb5kdc.log
admin_server = FILE:/var/adm/kadmin.log
-------------------------------------------
-----/usr/local/var/krb5kdc/kdc.conf-------
[kdcdefaults]
kdc_ports = 88,750
[realms]
PETALSHOME.COM = {
profile = /etc/krb5.conf
database_name = /usr/local/var/krb5kdc/principal
admin_database_name = /usr/local/var/krb5kdc/principal.kadm5
admin_database_lockfile =
/usr/local/var/krb5kdc/principal.kadm5.lock admin_keytab =
/usr/local/var/krb5kdc/kadm5.keytab acl_file =
/usr/local/var/krb5kdc/kadm5.acl dict_file =
/usr/local/var/krb5kdc/kadm5.dict key_stash_file =
/usr/local/var/krb5kdc/.k5.PETALSHOME.COM kadmind_port = 749
max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s
master_key_type = des-cbc-crc supported_enctypes =
des-cbc-crc:normal
}
--------------------------------------------
pandora:/# /usr/local/sbin/kdb5_util create -r PETALSHOME.COM -s
Initializing database '/usr/local/var/krb5kdc/principal' for realm
'PETALSHOME.COM', master key name 'K/M@PETALSHOME.COM' You will be
prompted for the database Master Password. It is important that you
NOT FORGET this password. Enter KDC database master key: Re-enter KDC
database master key to verify:
--------------kadm5.acl--------------------- root/admin@PETALSHOME.COM
* sysadm/admin@PETALSHOME.COM *
-------------------------------------------- pandora:/#
/usr/local/sbin/kadmin.local kadmin.local: addprinc
sysadm/admin@PETALSHOME.COM Enter password for principal
"sysadm/admin@PETALSHOME.COM": Re-enter password for principal
"sysadm/admin@PETALSHOME.COM": Principal "sysadm/@PETALSHOME.COM"
created. kadmin.local: addprinc root/admin@PETALSHOME.COM Enter
password for principal "root/admin@PETALSHOME.COM": Re-enter password
for principal "root/admin@PETALSHOME.COM": Principal
"root/@PETALSHOME.COM" created.
-------------------------------------------------------- kadmin.local:
ktadd -k /usr/local/var/krb5kdc/kadm5.keytab kadmin/admin
kadmin/changepw Entry for principal kadmin/admin with kvno 3,
encryption type DES-CBC-CRC added to keytab
WRFILE:/usr/local/var/krb5kdc/kadm5.keytab. Entry for principal
kadmin/changepw with kvno 3, encryption type DES-CBC-CRC added to
keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
-------------------------------------------- /usr/local/sbin/krb5kdc
/usr/local/sbin/kadmind cat /var/adm/k*.log Feb 03 09:56:34 pandora
kadmind[28743](info): starting Feb 03 09:56:34 pandora
krb5kdc[28741](info): commencing operation
--------------------------------------------
pandora:/usr/local/var/krb5kdc# /usr/local/sbin/kadmin Enter password:
kadmin: addprinc -randkey host/kmaster.petalshome.com
Principal "host/kmaster.petalshome.com@PETALSHOME.COM" created.
kadmin: addprinc -randkey host/kslave1.petalshome.com Principal
"host/kslave1.petalshome.com@PETALSHOME.COM" created. kadmin:
addprinc -randkey host/kslave2.petalshome.com Principal
"host/kslave2.petalshome.com@PETALSHOME.COM" created.
kadmin: ktadd host/kmaster.petalshome.com
Entry for principal host/kmaster.petalshome.com with kvno 3,
encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5.keytab.
kadmin: q -------------------------------------------- ---user 'root'
on kslave2 CNAME wormhole------------- kadmin: ktadd
host/kslave2.petalshome.com Entry for principal
host/kslave2.petalshome.com with kvno 3, encryption type DES-CBC-CRC
added to keytab WRFILE:/etc/krb5.keytab. kadmin: q
-------------------------------------------- ---------added to each
inetd.conf----------- krb5_prop stream tcp nowait root
/usr/local/sbin/kpropd kpropd eklogin stream tcp nowait root
/usr/local/sbin/klogind klogind -k -c -e
kill -HUP (pid of inetd all kdc's)
--------------------------------------------
---user 'root' on kmaster CNAME pandora--------------
/usr/local/sbin/kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans
/usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans
kslave2.petalshome.com /usr/local/sbin/kprop: Client not found in
Kerberos database while getting initial ticket
-------------------------------------------- -----just for
information------ kadmin: getprincs K/M@PETALSHOME.COM
sysadm/admin@PETALSHOME.COM krbtgt/PETALSHOME.COM@PETALSHOME.COM
root/admin@PETALSHOME.COM kadmin/admin@PETALSHOME.COM
host/kslave2.petalhome.com@PETALSHOME.COM
kadmin/changepw@PETALSHOME.COM
host/kmaster.petalshome.com@PETALSHOME.COM
host/kslave1.petalshome.com@PETALSHOME.COM
host/kslave2.petalshome.com@PETALSHOME.COM
kadmin/history@PETALSHOME.COM
------------------------------------------
Thanks for any help
Michael
----------------------------------------------------
See Petals' new web page at http://www.girlswear.com
for Pretty little girls wearing
distinctive clothing and accessories