novaBBS - comp.protocols.kerberos - Re: Help with replication

Re: Help with replication

<mailman.88.1658166483.8148.kerberos@mit.edu>

https://www.novabbs.com/devel/article-flat.php?id=287&group=comp.protocols.kerberos#287

copy link Newsgroups: comp.protocols.kerberos

Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: bil...@ca-zephyr.org (Bill MacAllister)
Newsgroups: comp.protocols.kerberos
Subject: Re: Help with replication
Date: Mon, 18 Jul 2022 10:47:09 -0700
Organization: TNet Consulting
Lines: 43
Message-ID: <mailman.88.1658166483.8148.kerberos@mit.edu>
References: <b2a9fcb0ebfe2b7b37dc5f24d4626236@ca-zephyr.org>
<6755037f-8e8e-7886-44a8-31a83124c787@mit.edu>
<2096c771ad96df84cd2b8113011d7ea9@ca-zephyr.org>
<202207180403.26I43CgF030277@hedwig.cmf.nrl.navy.mil>
<2ec4e1247f558f3b27bd74b6f931a0d9@ca-zephyr.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
format=flowed
Content-Transfer-Encoding: 7bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="31379"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Roundcube Webmail/1.4.13
Cc: Greg Hudson <ghudson@mit.edu>, <kerberos@mit.edu>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Authentication-Results: mit.edu;
dmarc=none (p=none dis=none) header.from=ca-zephyr.org
Authentication-Results: mit.edu; arc=pass
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1658166480; cv=pass;
b=WeRrPTOzpgrTujsvAi2zML3+mT9dtZezv+gX8i5tr/BslivkTwsQXAFUvPXaiNyFNN1f+KzcSfofhyVgqup9G5vS0W7OLNvQIdOPN/aUlNjo3+S2VMtTSHT+jJ06iTgkH9CeTkHPVvtztwpvAtUFRmBlcdXHH39sPtMRXsLs/3WHLWQgUv14UlhFsu/BUqjF1jIqiCe4t16q3rrzZ6jqn70tIlOlXl3OD7FQJTpeFEEp0GCPuBAHiRGz/xzUa2h7n5qrnFzAnAf2HRHUlDoONE+Z5jYY0CDNU5urQqpj+370XbjojzjmblSN03lcADnCDZI9g8sfEuCLmsWVExpgnA==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1658166480;
c=relaxed/relaxed; bh=viI7oRdUc9wv+1U+m0X2Bh4PEmQRILDmzcD29gxFaf8=;
h=MIME-Version:Date:From:Subject:Message-ID:Content-Type;
b=HxgGu1TEqAAxEOGgucQ8/uYWE/RQ2V1iz8XtpUAaEP9NC2uy8Gh8vnCe1V+3yDgZHfIn9t5glaj7X9OXaJWTXBz3uXWkpevNIOpKLmBEKOho1Ie1joRwUtmZxXZ75P+OUEPmieInkmT9JcfTr6sBmZOawIC+kiustj0eoagwctrXHRWskZUVN/h2ugHrDkHCZwVQGJvmv9P9RFtJ8MCGY2AeB0/IWO8UZNGdHjOdWNUJeEK3M4c5z4Gx+/LJeFdnzX2Zu3+DeUVqAt7Vq9qckr+aLL0dK85np7LFpJgqHAmrg6MQdRSf1Ry3R0yTRw/f25OjpoobdVbtOa+dVBle0A==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=awGgj8Qh; arc=pass
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=awGgj8Qh
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=enPpO/NtvqWJh63szA813gxrnsSEJCnLl3KL00pyH/FWCwzFK2ozU7YZMtnij31jwP5oAYvphogOumCzTGske8J3DzwraBBF7CzGtmTMXkfMBRN13e31bvnye5ixPaoXyn9xCeWBcd8gY1yOYI9hY5uZY6Kv2I0PijbY1skK0wZ0koe5p7kN1RxdXBztIDkB/qx7VL0i7gL/+Q24BOkWMWaMtL9D42AFoe1GkXWu852JevQ0H+g2angyh7NmX+Ms5ghtHl0pbu28AaUJsNBH2b2JTYF+nfpLByobhQDp3xmh/yDvp/b+PhcqrNxQfbYY4ee2Ewop1qTWJ7HcHUP08A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=viI7oRdUc9wv+1U+m0X2Bh4PEmQRILDmzcD29gxFaf8=;
b=fVEZ+Gv6KMcIP/38LFwKwlZiuSTGM7wp9rxNmy0Vsok9gutv5SMSTtU7/H1LCL3KXP3Wgo4OkphP53ApONT98eijBqaIlDePhD7En/QH04DI8Qhn0R/Au7RI3TaP8MSpmHVRqXWf+KqNX8hrUn9lyzg8nkmdSDPFysNGHJntJEfMJhWdfvDx4FmomrLoM6Wl22ZH+A732A1PZYYvIWoq0PAWdufILSfyePS5I5ZQz43W/tsjWhwkgPJH7pWNatEnA2WFvhxGQjnWGoZbQN8JRGL9E92ITCZlyWdS0UX8HygitDPKOCW9/YVbGunQ9Hl5iSUHM0Cjl9eQcnK/P1q16w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none (sender ip is
166.84.7.202) smtp.rcpttodomain=mit.edu smtp.mailfrom=ca-zephyr.org;
dmarc=none action=none header.from=ca-zephyr.org; dkim=none (message not
signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=viI7oRdUc9wv+1U+m0X2Bh4PEmQRILDmzcD29gxFaf8=;
b=awGgj8QhzRJld7q2V5oQRLbDpeGVONDXU5kEjOWmQUr/sTv5lse8Iajy5C8zx2U38m15UGGRZjmIhj5uPG6mOqrKLlerxaWMkIlII0ptY4/ihOVemCoNVzz4LherOTg4OKydvFIWinmDgUGyiSVCwH6bKyplEmTY5xdKnkT9BNk=
Authentication-Results: spf=none (sender IP is 166.84.7.202)
smtp.mailfrom=ca-zephyr.org; dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=ca-zephyr.org;
Received-SPF: None (protection.outlook.com: ca-zephyr.org does not designate
permitted sender hosts)
In-Reply-To: <202207180403.26I43CgF030277@hedwig.cmf.nrl.navy.mil>
X-Sender: bill@ca-zephyr.org
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 84df2988-8d9a-4af5-7265-08da68e58b20
X-MS-TrafficTypeDiagnostic: DS7PR01MB7757:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 2
X-MS-Exchange-AntiSpam-Relay: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: B2EUO/+ZojIgyagHD4FA+YjnXJ3A86sEK7hhKjKaHFF3/oigS6luZU2wE3eFBsf5D8yarzIxTLfb4su9nTuODaeNLjHG6JAUzk17rvTlkpjPuUgxzvumY56JS8UUGmR5bZ9UIiIRQm1BTHJvyAnkgh3GdOFGIbahCgXTv3TBdHsl5K2hH4t7GFNlUaFn8NqOQ4od1FyJ6Ub4ztc9kIxN8TrqK4J3U6eZFAbrBZrQUc+e0rwI4L5IC+svxxozXwrPD3k9I/n0geAh16odi2kCfq3PDOOMLiOtH40opGSIaHhV4x9bLSWd8LJu0DfoPvbKhpMSUhNCq4Kf4VD/LhmSADnFSZqvFQ86Z4ps6XpyEnG6rEQz4UBzrJ+IhEpATBbyuu2I0HsyFuxFa6co/cgH6QvE9ArC2VgZr2vBu6i6YmEP56PSmSZ9CjZY+9RkwM1VhVcTBMaVenYGYH797B+9ntXrmR+rDZgpliIOD47NVLx/E3kI0qazMKWsicoOfp6vVLiKdDrBqwJUZOxE3wTSK+rZHCeifNybOPzDQHm/JJ07mAxu7YcWsYYnmuX49Nbd6zwS/W9uxdR4wFUD7iuoPjrBzt7AOlnX7zn9HPb72eRTTETkFHvte8zJ9jGEslGsjZI7FeZ8q7Trtzw4DlLW8qlnkRqRntJEG0JL7ENeV5NDKnQfPugkeeD+bsOWJhUjCHm8idCR5NNQlUxk3yjWobiZDO1WUv7n7sc736zZtjE=
X-Forefront-Antispam-Report: CIP:166.84.7.202; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:portola.ca-zephyr.org; PTR:oroville.ca-zephyr.org;
CAT:NONE;
SFS:(13230016)(4636009)(39860400002)(376002)(396003)(136003)(346002)(68406010)(70586007)(8676002)(7116003)(4326008)(316002)(86362001)(786003)(3480700007)(356005)(36756003)(2906002)(7636003)(83380400001)(336012)(108616005)(426003)(26005)(498600001)(7696005)(24736004)(53546011)(2616005)(6266002)(6862004)(5660300002)(956004);
DIR:OUT; SFP:1022;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Jul 2022 17:47:11.5274 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 84df2988-8d9a-4af5-7265-08da68e58b20
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT011.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR01MB7757
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <2ec4e1247f558f3b27bd74b6f931a0d9@ca-zephyr.org>
X-Mailman-Original-References: <b2a9fcb0ebfe2b7b37dc5f24d4626236@ca-zephyr.org>
<6755037f-8e8e-7886-44a8-31a83124c787@mit.edu>
<2096c771ad96df84cd2b8113011d7ea9@ca-zephyr.org>
<202207180403.26I43CgF030277@hedwig.cmf.nrl.navy.mil>

by: Bill MacAllister - Mon, 18 Jul 2022 17:47 UTC

On 2022-07-17 21:03, Ken Hornstein wrote:
>
>> [27738] 1658108981.225629: Received error from KDC: -1765328377/Server
>> not found in Kerberos database
>
> Which suggests you did not (although it wasn't from the primary KDC,
> which
> suggests that maybe whatever KDC you used didn't have it replicated
> yet).
> The KDC logs should explain what went wrong.

The KDC logs revealed that indeed the principal did not exist. I had
updated
the krb5.conf to use a cname for the admin principal and kpropd is using
the
entry in the krb5.conf without canonicalization. I changed the
krb5.conf
file to use host names that matched the principals that I had created.
That
along with making sure kadm5.acl and kpropd.acl had the appropriate
entries
solved my problem. Thanks for the pointer. (Who would have thought to
look
in the logs? Certainly now me.)

I am a bit surprised that the cnames in the krb5.conf file were the
problem.
I would like to use a common krb5.conf file everywhere deployed by our
configuration management processes. I guess one what would be to create
principals for the cnames. Seems a bit unclean. Or just have a unique
krb5.conf for kdc systems.

Thanks again Greg and Ken for the help. My head was getting sore from
pounding against that wall.

Bill

--
Bill MacAllister <bill@ca-zephyr.org>

"Can't sing louder than the guns when I'm gone,
so I guess I'll have to do it while I'm here."
Phil Ochs

<wiggy> in a stunning new move I actually tested this upload

devel / comp.protocols.kerberos / Re: Help with replication

Subject	Author
Re: Help with replication	Bill MacAllister