Date: Mon, 26 Feb 1996 19:33:50 +0200 From: Mark Murray <mark@grondar.za> To: Ken Lam <klam@awod.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos 4 Slave Server Setup in 2.1 Message-ID: <199602261733.TAA06499@grumble.grondar.za>
index | next in thread | raw e-mail
Ken Lam wrote:
> OK. The following is currently what I have done:
>
> I have added kpropd to inetd.conf in my slave, it does
> respond when I telnet to the port. I have a script
> which uses kdb_util to do a slave_dump and then calls
> kprop.
>
> I'm not quite sure which machines need the 'rcmd'
> principal and what instance they need, and I may
> have done the following wrong.
The master needs to have an rcmd principal for each kerberised machine
on the network in his realm. Each principal needs an instance that is
the same name as the machine. Eg - I have two kerberised machines
grunt.grondar.za and grumble.grondar.za. My kerberos server therefore
has rcmd.grunt and rcmd.grumble.
> rcmd.kerberos and rcmd.indigo are in both master
> and slave (with an 'ext_srvtab kerberos' srvtab on
> the slave).
Do you have two machines called kerberos and indigo? Are they your
master and slave? If so, you are OK. I would also put a srvtab on the
master.
> the docs say rcmd.HOSTNAME@REALM
>
> does that mean rcmd.indigo.awod.com@AWOD.COM ?
No. rcmd.indigo@AWOD.COM,
> krb.conf
> ----
> AWOD.COM
> AWOD.COM moultrie.awod.com admin server
> AWOD.COM indigo.awod.com
You have your rcmd.'s wrong. They should be (by above definition) be
rcmd.moultrie and rcmd.indigo.
> krb.realms
> ----
> AWOD.COM AWOD.COM
> .AWOD.COM AWOD.COM
OK...
> krb.slaves
> ----
> indigo.awod.com
??? Is this a file? I find no reference to it anywhere?
> this is the console message I receive when trying to propogate:
>
> moultrie# /usr/sbin/kdbupdate
^^^^^^^^^
What is this?
> Start slave propagation: Mon Feb 26 11:09:29 1996
> indigo.awod.com: Generic kerberos error (kfailure). Calling krb_sendauth.ind
igo
> .awod.com: Generic kerberos error (kfailure). Calling krb_sendauth.indigo.aw
od.
> com: Generic kerberos error (kfailure). Calling krb_sendauth.indigo.awod.com
: G
> eneric kerberos error (kfailure). Calling krb_sendauth.indigo.awod.com: Gene
ric
> kerberos error (kfailure). Calling krb_sendauth.kprop: propagation failed.
>
> this is from the kerberos.log:
>
> 26-Feb-96 11:09:29 Initial ticket request Host: 198.81.225.2 User: "rcmd" "ke
rbe
> ros"
> 26-Feb-96 11:09:29 APPL Request rcmd.kerberos@AWOD.COM on 198.81.225.2 for rc
md.
Hmm. I'll need to look at a bit more. Do your logs mention any other
(perhaps funny looking) pricipal.instance pairs? What other "Initial ticket
requests" are you getting?
Not being a kprop[d] user, I cannot offer you much specific advice about
that.
M
--
Mark Murray
46 Harvey Rd, Claremont, Cape Town 7700, South Africa
+27 21 61-3768 GMT+0200
Finger mark@grondar.za for PGP key
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602261733.TAA06499>