From owner-freebsd-security Mon Feb 26 09:35:09 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id JAA02830 for security-outgoing; Mon, 26 Feb 1996 09:35:09 -0800 (PST) Received: from grumble.grondar.za (root@grumble.grondar.za [196.7.18.130]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id JAA02799 for ; Mon, 26 Feb 1996 09:34:41 -0800 (PST) Received: from grumble.grondar.za (mark@localhost [127.0.0.1]) by grumble.grondar.za (8.7.3/8.7.3) with ESMTP id TAA06499; Mon, 26 Feb 1996 19:33:52 +0200 (SAT) Message-Id: <199602261733.TAA06499@grumble.grondar.za> To: Ken Lam cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos 4 Slave Server Setup in 2.1 Date: Mon, 26 Feb 1996 19:33:50 +0200 From: Mark Murray Sender: owner-security@FreeBSD.ORG Precedence: bulk Ken Lam wrote: > OK. The following is currently what I have done: > > I have added kpropd to inetd.conf in my slave, it does > respond when I telnet to the port. I have a script > which uses kdb_util to do a slave_dump and then calls > kprop. > > I'm not quite sure which machines need the 'rcmd' > principal and what instance they need, and I may > have done the following wrong. The master needs to have an rcmd principal for each kerberised machine on the network in his realm. Each principal needs an instance that is the same name as the machine. Eg - I have two kerberised machines grunt.grondar.za and grumble.grondar.za. My kerberos server therefore has rcmd.grunt and rcmd.grumble. > rcmd.kerberos and rcmd.indigo are in both master > and slave (with an 'ext_srvtab kerberos' srvtab on > the slave). Do you have two machines called kerberos and indigo? Are they your master and slave? If so, you are OK. I would also put a srvtab on the master. > the docs say rcmd.HOSTNAME@REALM > > does that mean rcmd.indigo.awod.com@AWOD.COM ? No. rcmd.indigo@AWOD.COM, > krb.conf > ---- > AWOD.COM > AWOD.COM moultrie.awod.com admin server > AWOD.COM indigo.awod.com You have your rcmd.'s wrong. They should be (by above definition) be rcmd.moultrie and rcmd.indigo. > krb.realms > ---- > AWOD.COM AWOD.COM > .AWOD.COM AWOD.COM OK... > krb.slaves > ---- > indigo.awod.com ??? Is this a file? I find no reference to it anywhere? > this is the console message I receive when trying to propogate: > > moultrie# /usr/sbin/kdbupdate ^^^^^^^^^ What is this? > Start slave propagation: Mon Feb 26 11:09:29 1996 > indigo.awod.com: Generic kerberos error (kfailure). Calling krb_sendauth.ind igo > .awod.com: Generic kerberos error (kfailure). Calling krb_sendauth.indigo.aw od. > com: Generic kerberos error (kfailure). Calling krb_sendauth.indigo.awod.com : G > eneric kerberos error (kfailure). Calling krb_sendauth.indigo.awod.com: Gene ric > kerberos error (kfailure). Calling krb_sendauth.kprop: propagation failed. > > this is from the kerberos.log: > > 26-Feb-96 11:09:29 Initial ticket request Host: 198.81.225.2 User: "rcmd" "ke rbe > ros" > 26-Feb-96 11:09:29 APPL Request rcmd.kerberos@AWOD.COM on 198.81.225.2 for rc md. Hmm. I'll need to look at a bit more. Do your logs mention any other (perhaps funny looking) pricipal.instance pairs? What other "Initial ticket requests" are you getting? Not being a kprop[d] user, I cannot offer you much specific advice about that. M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key