From owner-freebsd-security  Mon Feb 26 10:06:27 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id KAA04678
          for security-outgoing; Mon, 26 Feb 1996 10:06:27 -0800 (PST)
Received: from sumter.awod.com (awod.com [198.81.225.1])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id KAA04668
          for <freebsd-security@FreeBSD.ORG>; Mon, 26 Feb 1996 10:06:18 -0800 (PST)
Received: from Ken (tsunami.awod.com [198.81.225.31]) by sumter.awod.com (8.6.11/8.6.9) with SMTP id NAA10961; Mon, 26 Feb 1996 13:05:56 -0500
Message-Id: <1.5.4b11.32.19960226180750.0068c940@awod.com>
X-Sender: klam@awod.com
X-Mailer: Windows Eudora Light Version 1.5.4b11 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Mon, 26 Feb 1996 13:07:50 -0500
To: Mark Murray <mark@grondar.za>
From: Ken Lam <klam@awod.com>
Subject: Re: Kerberos 4 Slave Server Setup in 2.1 
Cc: freebsd-security@FreeBSD.ORG
Sender: owner-security@FreeBSD.ORG
Precedence: bulk

>> rcmd.kerberos and rcmd.indigo are in both master
>> and slave (with an 'ext_srvtab kerberos' srvtab on
>> the slave).
>
>Do you have two machines called kerberos and indigo? Are they your
>master and slave? If so, you are OK. I would also put a srvtab on the
>master.
>
>> the docs say rcmd.HOSTNAME@REALM
>> 
>> does that mean rcmd.indigo.awod.com@AWOD.COM ?
>
>No. rcmd.indigo@AWOD.COM,
>
>> krb.conf
>> ----
>> AWOD.COM
>> AWOD.COM        moultrie.awod.com       admin   server
>> AWOD.COM        indigo.awod.com     
>
>You have your rcmd.'s wrong. They should be (by above definition) be
>rcmd.moultrie and rcmd.indigo.

OK.  I have a DNS CNAME entry of kerberos for moultrie, but I will change that
my conf file to kerberos.

>> krb.realms
>> ----
>> AWOD.COM        AWOD.COM
>> .AWOD.COM       AWOD.COM
>
>OK...
>
>> krb.slaves
>> ----
>> indigo.awod.com
>
>??? Is this a file? I find no reference to it anywhere?

I found that in documentation from indiana.edu
http://browneyes.ucs.indiana.edu/subject/kerberos/krb.slaves.html

>> this is the console message I receive when trying to propogate:
>> 
>> moultrie# /usr/sbin/kdbupdate
>                      ^^^^^^^^^
>What is this?

#!/bin/sh
/usr/sbin/kdb_util slave_dump /etc/kerberosIV/krb_update_dump
/usr/sbin/kprop /etc/kerberosIV/krb_update_dump /etc/kerberosIV/krb.slaves

>> Start slave propagation: Mon Feb 26 11:09:29 1996
>> indigo.awod.com: Generic kerberos error (kfailure).  Calling krb_sendauth.ind
>igo
>> .awod.com: Generic kerberos error (kfailure).  Calling krb_sendauth.indigo.aw
>od.
>> com: Generic kerberos error (kfailure).  Calling krb_sendauth.indigo.awod.com
>: G
>> eneric kerberos error (kfailure).  Calling krb_sendauth.indigo.awod.com: Gene
>ric
>>  kerberos error (kfailure).  Calling krb_sendauth.kprop: propagation failed. 
>> 
>> this is from the kerberos.log:
>> 
>> 26-Feb-96 11:09:29 Initial ticket request Host: 198.81.225.2 User: "rcmd" "ke
>rbe
>> ros"
>> 26-Feb-96 11:09:29 APPL Request rcmd.kerberos@AWOD.COM on 198.81.225.2 for rc
>md.
>
>Hmm. I'll need to look at a bit more. Do your logs mention any other
>(perhaps funny looking) pricipal.instance pairs? What other "Initial ticket
>requests" are you getting?

Those are the only one's being generated by these attempts.

>Not being a kprop[d] user, I cannot offer you much specific advice about
>that.

How are you handling your master/slave servers without kprop?  Is there
some other means?

Thanks again
Ken
>