Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

As a computer, I find your faith in technology amusing.

devel / comp.protocols.kerberos / Re: How to view KVNO on slave

SubjectAuthor
o Re: How to view KVNO on slaveMike

1
Re: How to view KVNO on slave

<mailman.9.1697115747.2263420.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=385&group=comp.protocols.kerberos#385

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: kerbe...@norgie.net (Mike)
Newsgroups: comp.protocols.kerberos
Subject: Re: How to view KVNO on slave
Date: Thu, 12 Oct 2023 14:01:30 +0100
Organization: TNet Consulting
Lines: 48
Message-ID: <mailman.9.1697115747.2263420.kerberos@mit.edu>
References: <ZSEweGP8vOXerlCH@lightning.iz.norgie.net>
<87wmvyv1nv.fsf@hope.eyrie.org>
<3f50f1bc-0188-e015-ca0c-23c987d6042d@csits.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="18606"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Thunderbird/102.14.0
To: Russ Allbery <eagle@eyrie.org>, Mike via Kerberos <kerberos@mit.edu>
Authentication-Results: mit.edu;
dmarc=pass (p=reject dis=none) header.from=norgie.net
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.9.3.18
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1697115743; cv=pass;
b=iPiHlu3CRd7jki3U/RqDcNfhdYfM9jtID8sX/lewwBxJt3wRToUaWuWeBxaO0HhT7G36PNmY0RyR1xJk6H0WaSDOMC8VyB8HkfbFis5fO1DEzJSdhaBbFOUFErrN6iJk4kadNqbA7NmPdGqkWw6kEcz1iZR91pjdLcJy0a6IWAnvjwCN+/dijFiT9ZZkCr7DOk8Vk4yDJ8EYLGdR2DisA2fYlQb4tbCNH+LoqzMyv/QmYUzaGREy1nIvK5r6lxRDI5qSxMoP3yhe0Xy1/QrxhXUajpzUHRx0HYmpbLd7tTQDYlgC45fY6gAvpc1T87ibVajg673NVTes9BukdnYmzA==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1697115743;
c=relaxed/relaxed; bh=3zr92YhNchAIK4KIvgXgULWdLWD4MOKheSwgLA4czPM=;
h=Message-ID:Date:MIME-Version:From:Subject:Content-Type;
b=j0C11zbyL3p3QYZ0XKVDr8IJVQfC4OCKzwkNQPfu4Ast88bI4oV+hwEIOAp1b6G0ZTICojnoq6Wd4WFCKdzbvu5wjNcdG60CWJ4fq8pwaVNw9fYPMG8CYVaCUeNTmd3ueYWOOH8Y+f84dkBzWcIDW/QFLm+I8QBQKCwzG2pRXFQzWeFv2NbIthp2lJ9h5YtRdhPtgVMcXCYIanOhzhG8qnXYgdaGyf+Pb3O3QLppMQdC98A3ztutYLz0cF4NIzlukvivyg+rMYBO+IUCP4MvFZv7mGA6b1qdxPaY6DsZtll0pFYiR4M8OOfOiXnTc50htKfUUEsqJiE8ZFjSx72LCQ==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=sAwGbZcT;
dkim=pass (4096-bit key;
unprotected) header.d=norgie.net header.i=@norgie.net header.a=rsa-sha256
header.s=default header.b=nSdvekbJ
Authentication-Results: mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=sAwGbZcT;
dkim=pass (4096-bit key;
unprotected) header.d=norgie.net header.i=@norgie.net header.a=rsa-sha256
header.s=default header.b=nSdvekbJ
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=S9jqyLEER2+VPg4Du6SyPuKmd8fRbazEzdce9h3HO4uVCR4Yfz4srUExxbR6ZivdRoQgztUzjQWXLznRosw7mCAtZP09b7UVGqR73f+9vty7au4p+SlsdwKDOTGsqQAcq1OVPyLegPzBK7Lrdf5jrdq4Pg62zYWc/AXQRaSlkvnQbAZbgaKbxX77Y1+VySF44/Rvs5yq/noOF+KJyEPW9KbJxET72h70wt5071TCBpVh4rGoLaMNICwNz6Z0Q/+FO5qX4tXymAfqAv0/JTR0BLa+YI9nZVZD6C8unzMt2c4hdg0vk7bBAYmxs9CnIfGpXi5Rrb3lC+BDy3DaPlHTqw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=3zr92YhNchAIK4KIvgXgULWdLWD4MOKheSwgLA4czPM=;
b=L23UTCRKDEEtDZrQxok68vZJJO8MnMGTk+hSQR1BOm3FI+2BhHNXOinqebJSV7YqFrHpwxU46gAobPIM4yicEPxZ3UyBgZfrIWefsUWEux9JJbflevRGpWH49A9IK2m/zetTvNMZs2vWVWH0Ax8B+SBiuiPT+nAfwaupVkX1aUBxQSmHzvZts91ZqeDOMaQBtS6sddT8fHwnXvlPZrQaodjM45CLcsPo/ltH31AY2gPKoHyQMJi5GWkFf2hZEg5mMDOnuLc9j93byHU3Yc22xh3HyxJZkeY2SeY2bJOkqx4AWedQNu5VTvul+3mJobv1LaP26Wn1opRT5SaLZZonrw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
81.187.90.236) smtp.rcpttodomain=mit.edu smtp.mailfrom=norgie.net; dmarc=pass
(p=reject sp=reject pct=100) action=none header.from=norgie.net; dkim=pass
(signature was verified) header.d=norgie.net; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=3zr92YhNchAIK4KIvgXgULWdLWD4MOKheSwgLA4czPM=;
b=sAwGbZcTx5/oVqzIua9gfWRAYx14rDfzpGzC3mIhGfOgFiPOGiC6Q6a0Nu82BZq6fEFyWknMee13IioGBGbOQ0SocDJhACH6t8CmefPz1F+nYhXoQR629zyQPaVYWMSbzEAnD9Uv5wiePRJB/A/0OFd03ccyIoadjqnXk2K9CnY=
Authentication-Results: spf=pass (sender IP is 81.187.90.236)
smtp.mailfrom=norgie.net; dkim=pass (signature was verified)
header.d=norgie.net;dmarc=pass action=none header.from=norgie.net;
Received-SPF: Pass (protection.outlook.com: domain of norgie.net designates
81.187.90.236 as permitted sender) receiver=protection.outlook.com;
client-ip=81.187.90.236; helo=javelin.dmz.norgie.net; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=norgie.net; s=default;
t=1697115690; bh=Z6PVQtVq0+m9SFHOZ6kGI0RWljmU1qoBekE+nMs9gc0=;
h=Date:To:References:From:Subject:In-Reply-To:From;
b=nSdvekbJ+6Wtlhqf+sS7R8r6INB+CVeAfDA69YP9e0+wRRzI/LdY56loJEGdm9/dP
HpeGzCyoEgnYs/RDecs3LeevOTSSz9ilwSJWTnEUBVSFJbazXafPpXHIl/VUNySEFT
AGaZxhNhlvkBzQzpcLxS0QMQKGkuqNXHIb8iXbHVnvn9MubB9er/Aa86grFdtMd8jD
myftsnywpVoTyF3plY97id9aTN26+V1tEqQNNluGFIsIq7+ZXg5RL/+Whdbwz+3L5M
fpbuCgHN1DmwN7EYxXDmqFnea4OxmlWjQd/JXRTI3vio31VMwS21LpHAXFjpeaJKYl
igNDNGfqqg5x1rc5C05HkUM2pFpzpoh0IxOXIR1E2TTOo52Gv+tr1lu+1vxzCRGH3k
Oiv2ovvrwmkoENFKDmX0SaPjVZoOJtMZRcx4gWySwtM02QbgcvKqrpWwp2QUD86JiJ
o2sQe8c6ftfHTjiQWZ84J4H3zMBe9ItDdZqTroW2+cwxJzgLF5+mAc94eQ72Tpkl8G
Oo9KJu/1Ss1JCK3dGl9MP+KrwiSBKLw7dQfIsAMxPUbmMww9f89m3tvpxDuD1Ol78E
IyO+dudcw4xXIYBMaZlhMULVIjM6JPGuYaH2j5cTy0tJkRGv6C0kzeKuWYbO1nnrK8
Uti7yrQKMTqnPwcdoMeLLjew=
Content-Language: en-GB
X-Clacks-Overhead: GNU Terry Pratchett
In-Reply-To: <87wmvyv1nv.fsf@hope.eyrie.org>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CY4PEPF0000E9D0:EE_|PH0PR01MB6713:EE_
X-MS-Office365-Filtering-Correlation-Id: 26289ec7-1ffb-4be3-383d-08dbcb235c04
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: FBijRpemrLwWBY/dyRgIwokRq8hbXVOLScuiw5oyEnbbXstAcvrbDG+DF4m2IThk5FcYhCJlJspejcrdnsw6eU53eIv5+tjGdYsHi0H2x9C+VI3OpcK7EFxnj2r0CSzwgQfrGBXdYWTTWqH/HStEADLLPbztTcwdBOM2s4+pqsuJiFqp3TsPXQCjujV7mRsEc7Xzl4Iq9h9vhhLLw7fYJ4lgnj83u35q1nfiuIQh/VqBeva0Ys+B/o93FAaVVN4oxk4TeMCiBCTX9LL+2f4jc7YhB459XGAyXiKuxSJvsGReIif+MzeyjMQIRrBjUvEXf/fI8b1AVAtYzhdcGQvuJErWmqdI8z4j1QJN8BGXn63rxuPKiU70Iz/bljPpPIOB67rPuyJgN16qDQKKGzRBTOiWXTNazENMCui03gl+HfGxWPfDHThaXRdhR9uSoqsd2TWUK9Z+ahR32lcI/upLrydKK1wIn771zuWgYHZMJ7N4hzYoLYUajM7s43cDxbZ1tbnJaroCKVUHgUBQUeIJuMTSKEEThGDc8qrZDOAGPqo29eb6Uhk4M6q8M/xRSKrUolvqMC6XTp4zYAdleg/dp4WeQDcGBt1H+i8YschRb9dhAHSUAx9x9HLe0GpRoODVevq4Oh2xdZztBbbTTeecE9H80a3bS7zFjoLrGRAjIIXA2MPweUal8bO7D29ZoDJTE1nkxDeFrWcfl5JSfwn+6woknROuOeXC7otfFzejHl4YdYo4JWbgU8zsMVdiI5L/
X-Forefront-Antispam-Report: CIP:81.187.90.236; CTRY:GB; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:javelin.dmz.norgie.net; PTR:javelin.dmz.norgie.net;
CAT:NONE;
SFS:(13230031)(4636009)(136003)(396003)(346002)(39860400002)(376002)(48200799006)(61400799006)(64100799003)(451199024)(26005)(336012)(6266002)(426003)(786003)(316002)(83380400001)(70586007)(68406010)(36756003)(110136005)(53546011)(356005)(7596003)(7636003)(86362001)(31686004)(9686003)(31696002)(2906002)(5660300002)(8676002)(6966003)(498600001)(42696004)(43740500002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Oct 2023 13:01:32.6600 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 26289ec7-1ffb-4be3-383d-08dbcb235c04
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000E9D0.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR01MB6713
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <3f50f1bc-0188-e015-ca0c-23c987d6042d@csits.net>
X-Mailman-Original-References: <ZSEweGP8vOXerlCH@lightning.iz.norgie.net>
<87wmvyv1nv.fsf@hope.eyrie.org>
 by: Mike - Thu, 12 Oct 2023 13:01 UTC

On 07/10/2023 17:27, Russ Allbery wrote:
> Mike via Kerberos <kerberos@mit.edu> writes:
>
>> I'm surmising that the issue might be that the service principle may not
>> have replicated corerctly to the slave server, which is used by the
>> Apache host. I can see the ticket details on the master using
>> kadmin.local and getprinc and I can see the keytab info using ktutil.
>> My question is this: How does one view the KVNO in the Slave DB? I
>> imaine it's probably available via kdb5_util dump but unfortunatly I
>> have not found any documents explaining the fields in the dump.
>
> You can use kadmin.local on the slave the same way that you use it on the
> master, I'm fairly sure. It's been a while since I've done this, but I'm
> pretty sure the database is the same and the tool doesn't have any idea
> whether you're running it on a master or a slave.
>
> I would expect you to get replication errors if there was a replication
> problem. If you're only doing incremental replication and you think
> something may have gone wrong, you can always do a full replication, which
> guarantees that the slave is identical to the master.
>

Hi Russ,

Thanks for the info. You were indeed correct, kadmin.local can be used
on the slave DB. It's not installed by default on Debian, at least, as
it comes as part of the kadmin package. I installed it and saw that the
KVNO is up to date.

I eventually happened upon the answer in the kdc.log on the master. It
was a DNS mix up. The web server has two DNS names
server.zone.example.com and server.example.com. The service principal
was HTTP/server.zone.example.com and the log was complaining about not
being able to find a service principal for HTTP/server.example.com. So
I created one, added it to the keytab and things started working again!

It was simple in the end, trouble is I'd been concentrating on the
logging of the slave server and the web server neither of which recorded
anything helpful.

The only weird thing is that it also (I later found out) affected
another web server in the same way but has been working for years. It
wasn't until I rekeyed the service principal that the problem seemed to
arise. I guess that part will remain a mystery. It is now fixed
however and I thank you again for your assistance.

Kind regards,
Mike.

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor