Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Deflector shields just came on, Captain.

devel / comp.protocols.kerberos / Re: Help with replication

SubjectAuthor
o Re: Help with replicationKen Hornstein

1
Re: Help with replication

<mailman.87.1658117007.8148.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=286&group=comp.protocols.kerberos#286

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ken...@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: Help with replication
Date: Mon, 18 Jul 2022 00:03:08 -0400
Organization: TNet Consulting
Lines: 24
Message-ID: <mailman.87.1658117007.8148.kerberos@mit.edu>
References: <b2a9fcb0ebfe2b7b37dc5f24d4626236@ca-zephyr.org>
<6755037f-8e8e-7886-44a8-31a83124c787@mit.edu>
<2096c771ad96df84cd2b8113011d7ea9@ca-zephyr.org>
<202207180403.26I43CgF030277@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="14766"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: Greg Hudson <ghudson@mit.edu>, kerberos@mit.edu
To: Bill MacAllister <bill@ca-zephyr.org>
Authentication-Results: mit.edu; dmarc=pass (p=reject dis=none)
header.from=cmf.nrl.navy.mil
Authentication-Results: mit.edu; arc=pass
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1658117004; cv=pass;
b=1l3zHwJoRz/ScMSoWNobL5B/baZd25sjgnG9niDiI7BfPGOnL3a3RLJRU7ak9OsjQgK9zfAAR/42qJHaP+UDkihkXkj4lNoeBRRD6qs4HqBb3Yfx1BmKi+1CdmJNU7Ibj9RwBuorlGWw2qdlo3K9L60NKnbFUusKlReWfMI7fXECqsGDIbAezoF7Ume9ARykU8WfCgSLLm5qOjhMa5OOEka2d2IXVCsQGx1ng+IRrTx9Q7LmoE5qm5PgQJiT+ECbFo70AgTo/IZR1xzKAUXQw2OyRMl7ImDyKWFyAUttXWw/W7LHGjv5rtAPFz6z1t6VoQ+SpQOALppS4NrX1h7nqg==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1658117004;
c=relaxed/relaxed; bh=MoHLCBwQ/MLvJIDRcu+ch36uiOv0O9AWkizIXzlauLs=;
h=Message-ID:From:Subject:MIME-Version:Content-Type:Date;
b=JWsCnZO2W3OCMMGdPG4Xuounsv3b90f79JnlFQ4SRrtuT6z39IhxPKCv2Xyfky6K0alb2f12VCFp/bvsbqesirPITn5rObMPpkrp1VcECZPc8wI205/eaVcTEEXx+04LUYpqdyVf8A7d0Ph1H6gsMOWxDuwPft5NwB3cdjq1LaLeh5KHSW6Zi6Zu17UAyDOT0Sc8+rYhfUHTgShTmAlIjlyK4TkG2pT+MTNG5ZPLog4b8VgU4MeLu32tu3h61hK4AF5FGIAMUZaKonbwMFNml4i/t3maIRAFrEyhqEXly5CzYIXGiCQ8/LVy34oOp212k92A21mqI3y71hMINQdj2A==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=HoJlAjE+;
dkim=pass (2048-bit key) header.d=nrl.navy.mil header.i=@nrl.navy.mil
header.b=lpzfGeXf; arc=pass
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=HoJlAjE+;
dkim=pass (2048-bit key) header.d=nrl.navy.mil header.i=@nrl.navy.mil
header.b=lpzfGeXf
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=D+aecxlSeZWB5iEERHVSOkGV6X+uW3NXyN9yZXYhfc0ZkVBPdp1EQu229y9tgBVC/DlaBSXnP/5ZGPTSZ8gCTogf8AcnqoEcNKRD26QyHsRbQKSpL783lehNAB43P6SUi7GlKgK4jeLNtNzZtwdTW99DKb2n2Hc6IKlJjXvDbD7fy3QcxHl06PYNsuLTtsUomZFqdf6feGsE43JDzvwOciSEbQAZVp3pEG4rztDC7M3Tsd1n1HHAZw+uucA6jOn2/Pxi/8Zj4oFjoF820NxBC/85pUgk8+vz0+N/2ikLFndQQAbZcVKNlO0Z7Ru+OKSWxfux3Q7eTQnKCAUqOD4hyA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=MoHLCBwQ/MLvJIDRcu+ch36uiOv0O9AWkizIXzlauLs=;
b=TjVqH2CbDOq2K070jAy7ZwYaIQodvcOIXRDAB67lMHVjm7BkbTsmuCqvtTd8E6PRsa/2xm1UxvtNdz4tacnfbY1/x/kJyTTqkM71uEfj61vYQpV9rCNdTxfdnNexjbPHjFvtSEjB1YdB3c1MASb+s3U61hrn4V5/GchaatmvPFj4+zrU1wEnKPXePflED/Z7YSpTpYJ+2OyYMSIE6TL910sn45gWxoPLOaqqLcMXZmMgZiSXtaLahoOGe4bH8/1F9oFZu0uPdpuEiO88wrD1yii1GeNbAw6ziHDkbvVYSJBiTm4hPKMp1jHniNvAfaStec4K+D9sghGOoHeI9ZQooQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
140.32.61.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil;
dmarc=pass (p=reject sp=reject pct=100) action=none
header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=MoHLCBwQ/MLvJIDRcu+ch36uiOv0O9AWkizIXzlauLs=;
b=HoJlAjE+aF/DBTFPk/YcS59IoR2Z5jWhUPe7Mt3d+Norcz44NVhUFuLT53B6P1QGZ2n7WSDce2+cojj5EAqUQ5TuoXoa2rjUgxMpMWBMFad98m4ErJ3o4+bJOAWb9yDHUYBueXsSfUuwMj97j8h/LdMgxQZ8FT+U3Hvd1B8RNI8=
Authentication-Results: spf=pass (sender IP is 140.32.61.234)
smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.61.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.61.234; helo=mf.dren.mil;
pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version : content-type
: content-transfer-encoding : date; s=s2.dkim;
bh=MoHLCBwQ/MLvJIDRcu+ch36uiOv0O9AWkizIXzlauLs=;
b=lpzfGeXfkppy3Az+yNL6BE8BZgsk/PLvwtKIC8DJOHFjmQR2yt1GbU7dVPwMSrYrxLJo
WunzuZkTUL/JCeN1KZzhpsCqsscTO7pQ72VzjvyGX1Di6Eihf7f4SViY2VKbQS3MvuuF
j6kv5py6g3AOfi2cnKdF64dLtfrDjjJQvRL8uuFrMccpVF6Nm71Qx9w32/pAkyxE1QBM
MnuMnyTHRyaf5nRkutzlBD+yx6sasfBD8qqTgMuqU2glh7HIahrMcXQIhV31/vqetqIS
Kvlzlqm7fTs5kQ1NO+RBuzJ6MFaWXFtShsXLpRvl1up0McMickqxNCqad7t+ihE1p1TA Aw==
In-Reply-To: <2096c771ad96df84cd2b8113011d7ea9@ca-zephyr.org>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned: No virus found
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 39540f8c-d687-4968-5de6-08da687273ae
X-MS-TrafficTypeDiagnostic: BN6PR0101MB2882:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: M/JaXjwV6ssR5OI3HdMT/OxtWlhAbcyOoLdJGPODJ1hgD8bsfSHEWOhenvqiJWAaKIDC9olTonBfpEd4BCe9fEP8Hhd4RPWeWweoqr76EQnhxFeeqZ1D7OhTEg29pCdoLi/s6DFE/xzFBI9qxkAIqXNidjbKM41itgW+rkmn9757CiSBgw+S5QBQ+eYPfPfcxq3phNHzuesqlDobd/mtTM26OJWctw6bnB14zOww0TmQlFlaJjFHwRgraHd8Y+26ZYDE+hUlSEilagq+z0logd9f1EewWzki35Cl0cWR+N+gS5WbNQcZtLl1+ZSUsn/r36ZzQl6VV2wJ9BUADPFtFm+GO3qP9m6B0wYm5m528U3PQmR2ehaN7pbA3j7XPxT8FiYoXIqNr89V+VDIzawaT8o5E0LCZLbf0ddYTOs9zPmEgwVUw5WuEmlbUwqDCbypyqioqVKGm/3gS6oc4QJotP1fzrUSTcevll9+pvE5sk+68xpU7fhE9t9h1W7A4MD/MZNaK9JyuqSisVjm9AjRU3gYcDuzPG3o5X61ibfrqLRZEj9++v5jDPZ9OqRdnREvslldZ45FGUJIPChFXwVIdpjReIJpdjj210pKEb1mVYv1utxtW36lOm44XxJ38V1q3iL4ErD/rnQ4zih3QRcWboKxuEdgDpxq0gn2xvD/0Y1Qvcy0CVGr9Youv4DwTg1E3uS1l//wE+Mi8bTVZzeujv2LopHf2dDm3/iplckPGq8=
X-Forefront-Antispam-Report: CIP:140.32.61.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mf.dren.mil; PTR:mfw.dren.mil; CAT:NONE;
SFS:(13230016)(4636009)(376002)(136003)(346002)(396003)(39860400002)(86362001)(8676002)(68406010)(70586007)(7116003)(4326008)(316002)(426003)(336012)(5660300002)(6862004)(786003)(3480700007)(83380400001)(498600001)(2906002)(6666004)(1076003)(26005)(956004)(356005)(7636003);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Jul 2022 04:03:20.0526 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 39540f8c-d687-4968-5de6-08da687273ae
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT010.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR0101MB2882
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MIME-Autoconverted: from quoted-printable to 8bit by mailman.mit.edu id
26I43Pc23562468
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <202207180403.26I43CgF030277@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References: <b2a9fcb0ebfe2b7b37dc5f24d4626236@ca-zephyr.org>
<6755037f-8e8e-7886-44a8-31a83124c787@mit.edu>
<2096c771ad96df84cd2b8113011d7ea9@ca-zephyr.org>
 by: Ken Hornstein - Mon, 18 Jul 2022 04:03 UTC

>Thanks Greg. I should have remembered that. It exposed the fact
>that the kiprop/ principal for the host was missing. I created the
>principal and added it to /etc/krb5.keytab. This moved the error, but
>I am still getting failures to replicate. Here is the debug log:

Did you, in fact, create that principal? I ask because the error you
are getting is:

>[27738] 1658108981.225629: Received error from KDC: -1765328377/Server not found in Kerberos database

Which suggests you did not (although it wasn't from the primary KDC, which
suggests that maybe whatever KDC you used didn't have it replicated yet).
The KDC logs should explain what went wrong.

As a side note: I ran into an issue on CentOS 7 where systemd would
start up kpropd before DNS resolution was working, so on reboot kpropd
wouldn't work because it couldn't canonicalize it's local hostname. My
solution was to write a special systemd service which would act as a
provider for nss-lookup.target (because nothing on CentOS 7 actually
provides that functionality). I'm not saying that's your issue, but
something worth noting.

--Ken

devel / comp.protocols.kerberos / Re: Help with replication

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor