Kerberos 5, kprop problem
Alex M. George
I am new to kerberos and trying to implement across campus for authentication. Installation procedures from MIT is working fine upto the slave server replication part, that give an error message:
kprop: Server rejected authentication (during sendauth exchange)
while authenticating to server
Generic remote error: Wrong principal in request
Listing the error messages and information. Appreciate any help.
Thanks.
On the master server (kerberos.wayne.edu)
[root@kerberos]# kadmin
Authenticating as principal admin/ad...@KRB5.WAYNE.EDU with password.
Enter password:
kadmin: listprincs *
K/M...@KRB5.WAYNE.EDU
admin/ad...@KRB5.WAYNE.EDU
host/kerberos-1...@KRB5.WAYNE.EDU
host/kerberos....@KRB5.WAYNE.EDU
kadmin/ad...@KRB5.WAYNE.EDU
kadmin/chan...@KRB5.WAYNE.EDU
kadmin/his...@KRB5.WAYNE.EDU
krbtgt/KRB5.WA...@KRB5.WAYNE.EDU
kadmin:
kadmin:
kadmin:
kadmin: ktadd host/kerberos.wayne.edu
Entry for principal host/kerberos.wayne.edu with kvno 4, encryption
type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
kadmin: ktadd host/kerberos-1.wayne.edu
Entry for principal host/kerberos-1.wayne.edu with kvno 4, encryption
type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
kadmin: quit
[root@kerberos]# scp /etc/krb5.keytab ro...@kerberos-1.wayne.edu:/etc/krb5.keytab
ro...@kerberos-1.wayne.edu's password:
krb5.keytab 100%
|*****************************| 174
00:00
[root@kerberos]#
[root@kerberos]# more /opt/local/var/krb5kdc/kpropd.acl
host/kerberos....@KRB5.WAYNE.EDU
host/kerberos-1...@KRB5.WAYNE.EDU
[root@kerberos]#
[root@kerberos]# more /etc/inetd.conf
300326/4 tli
rpc/tcp wait root /platform/SUNW,Ultra-Enterprise-
10000/lib/dr_daemon dr_daemon
# rpc.metad
100229/1 tli
rpc/tcp wait
root /usr/sbin/rpc.metad
rpc.metad
# rpc.metamhd
100230/1 tli
rpc/tcp wait
root /usr/sbin/rpc.metamhd
rpc.metamhd
krb5_prop stream tcp
nowait root /opt/local/sbin/kpropd kpropd
eklogin stream
tcp nowait root /opt/local/sbin/klogind
klogind
-k -c -e
[root@kerberos]#
[root@kerberos]# grep krb5_prop /etc/services
krb5_prop 754/tcp
# Kerberos V5 KDC propogation
[root@kerberos]# kdb5_util dump -verbose /opt/local/var/krb5kdc/slave_datatrans
K/M...@KRB5.WAYNE.EDU
admin/ad...@KRB5.WAYNE.EDU
host/kerberos-1...@KRB5.WAYNE.EDU
host/kerberos....@KRB5.WAYNE.EDU
kadmin/ad...@KRB5.WAYNE.EDU
kadmin/chan...@KRB5.WAYNE.EDU
kadmin/his...@KRB5.WAYNE.EDU
krbtgt/KRB5.WA...@KRB5.WAYNE.EDU
[root@kerberos]#
[root@kerberos]# kprop -f /opt/local/var/krb5kdc/slave_datatrans
kerberos-1.wayne.edu
kprop: Server rejected authentication (during sendauth exchange)
while authenticating to server
Generic remote error: Wrong principal in request
[root@kerberos]# tail /var/log/krb5kdc.log
Apr 15 09:50:49 kerberos.wayne.edu krb5kdc[19336](info): AS_REQ (2
etypes {16 1}) 141.217.1.205(88): ISSUE: authtime 1018878649, etypes {rep=16
tkt=16 ses=16}, host/kerberos....@KRB5.WAYNE.EDU for host/kerberos-1...@KRB5.WAYNE.EDU
On the slave machine (kerberos-1.wayne.edu)
[root@kerberos-1]# grep prop /etc/services
krb5_prop 754/tcp
# Kerberos V5 KDC propogation
[root@kerberos-1]#
[root@kerberos-1]# more /opt/local/var/krb5kdc/kpropd.acl
host/kerberos....@KRB5.WAYNE.EDU
host/kerberos-1...@KRB5.WAYNE.EDU
[root@kerberos-1]#
Alex George.
Sr. System Engineer.
Wayne State Univeristy.
Norbert Veber
>
> --------------59D6FE39DC24D4195092E36C
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
>
> Hello all,
>
> I am new to kerberos and trying to implement across campus for
> authentication. Installation procedures from MIT is working fine upto
> the slave server replication part, that give an error message:
>
> kprop: Server rejected authentication (during sendauth exchange) while
> authenticating to server
> Generic remote error: Wrong principal in request
I have the same configuration, with inetd.conf setup, keys exported to
/etc/krb5.keytab, host principals added, kpropd.acl setup, etc.
Everything works but the propagation. I get a different error than Alex
though:
root@abel[904:~]# /usr/local/sbin/kprop -d -f
/usr/local/var/krb5kdc/slave_datatrans kerberos-1.domain.com
/usr/local/sbin/kprop: Client not found in Kerberos database while
getting initial ticket
I read the installation manual several times to make sure I set
everything as instructed, and could find nothing wrong. I also read the
FAQ.
The master server is Solaris 7. I have two slave servers (debian/potato
and freebsd 4.5). The propagation doesnt work with either of them, and
nothing gets printed in the logs. All are running MIT krb5-1.2.4, built
from source.
Any ideas?
Thanks,
Norbert
Srinivas Cheruku
is looking for and from that you can make out why it is going wrong.
Srini
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
>
*********************************************************************
Disclaimer: The information in this e-mail and any attachments is
confidential / privileged. It is intended solely for the addressee or
addressees. If you are not the addressee indicated in this message, you may
not copy or deliver this message to anyone. In such case, you should destroy
this message and kindly notify the sender by reply email. Please advise
immediately if you or your employer does not consent to Internet email for
messages of this kind.
*********************************************************************
________________________________________________
Kerberos mailing list Kerb...@mit.edu
http://mailman.mit.edu/mailman/listinfo/kerberos
Norbert Veber
> Look at the kdc logs. Then you will come to know whcih service principal it
> is looking for and from that you can make out why it is going wrong.
I was looking at the logs, but I could've sworn I didnt see anything
relevant until now :)
# /usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans
kerberos-2.domain.com
Here it is:
Apr 16 11:12:41 abel krb5kdc[26689](info): AS_REQ (2 etypes {16 1})
10.0.1.3(88): CLIENT_NOT_FOUND: host/ab...@REALM.COM for
host/weber.do...@REALM.COM, Client not found in Kerberos
database.
'abel' is the main server, it has a cname of 'kerberos'. 'weber' is one
of the secondaries, cname kerberos-2.
For some reason its trying to find the canonical hostname of the
machine. The installation manual said it should work with CNAMES..
Did I maybe screw up my domain/realm mappings? I have the following in
krb5.conf:
[domain_realm]
.domain.com = REALM.COM
domain.com = REALM.COM
Thanks,
Norbert
Ken Hornstein
>of the secondaries, cname kerberos-2.
>
>For some reason its trying to find the canonical hostname of the
>machine. The installation manual said it should work with CNAMES..
I think you misread the manual. In Kerberos you always want to use the
canonical name (and the "short" name isn't a CNAME in any case, unless
you placed the CNAME record at the root of the DNS).
--Ken
Norbert Veber
>>'abel' is the main server, it has a cname of 'kerberos'. 'weber' is one
>>of the secondaries, cname kerberos-2.
>>
>>For some reason its trying to find the canonical hostname of the
>>machine. The installation manual said it should work with CNAMES..
>
> I think you misread the manual. In Kerberos you always want to use the
> canonical name (and the "short" name isn't a CNAME in any case, unless
> you placed the CNAME record at the root of the DNS).
Hmm. To quote the manual:
MIT recommends that your KDCs have a predefined set of CNAME records
(DNS hostname aliases), such as kerberos for the master KDC and
kerberos-1, kerberos-2, ... for the slave KDCs. This way, if you need to
swap a machine, you only need to change a DNS entry, rather than having
to change hostnames.
I'm not sure what you mean by "short" name. My setup is such that each
machine has a hostname: abel, weber, schrodinger. Then I setup some
CNAME records in my dns as suggested by the manual:
kerberos -> abel
kerboers-1 -> schrodinger
kerberos-2 -> weber
The principals I added and reffer to everywhere in my configuration are
my CNAME records. Ie.
kadmin: listprincs
K/M...@REALM.COM
admin/ad...@REALM.COM
host/kerberos-1...@REALM.COM
host/kerberos-2...@REALM.COM
host/kerberos....@REALM.COM
kadmin/ad...@REALM.COM
kadmin/chan...@REALM.COM
kadmin/his...@REALM.COM
krbtgt/REAL...@REALM.COM
Of couse in the above I have replaced the real ralm/domain with "REALM"
and "domain" respectively. I did however follow the recommendation to
make the REALM name the same as the domain name in upper case..
Thanks,
Norbert
Ken Hornstein
>MIT recommends that your KDCs have a predefined set of CNAME records
>(DNS hostname aliases), such as kerberos for the master KDC and
>kerberos-1, kerberos-2, ... for the slave KDCs. This way, if you need to
>swap a machine, you only need to change a DNS entry, rather than having
>to change hostnames.
Right, but that's not what you're doing. You always need to use the
canonical name ... the REAL name. You shouldn't create service tickets
using aliases (don't create a service ticket called "host/kerberos").
This is part of the confusion about a CNAME record. The canonical name
is the part on the right side of the record; the left side of the
CNAME record is the alias. In Kerberos, you never create principals using
the alias (well, you _can_, but on Unix implementations, it's almost always
a bad idea).
>I'm not sure what you mean by "short" name. My setup is such that each
>machine has a hostname: abel, weber, schrodinger. Then I setup some
>CNAME records in my dns as suggested by the manual:
What I mean by a "short" name is unqualified - you want to always use
a fully qualified domain name in Kerberos principals.
Norbert Veber
>>Hmm. To quote the manual:
>>MIT recommends that your KDCs have a predefined set of CNAME records
>>(DNS hostname aliases), such as kerberos for the master KDC and
>>kerberos-1, kerberos-2, ... for the slave KDCs. This way, if you need to
>>swap a machine, you only need to change a DNS entry, rather than having
>>to change hostnames.
>
> Right, but that's not what you're doing. You always need to use the
> canonical name ... the REAL name. You shouldn't create service tickets
> using aliases (don't create a service ticket called "host/kerberos").
I am not creating a service ticket (unless kprop is doing it behind the
scenes). These are just the pricipals for the KDC's, to quote the
manual again:
Each KDC needs a host principal in the Kerberos database. You can enter
these from any host, once the kadmind daemon is running. For example, if
your master KDC were called kerberos.mit.edu, and you had two KDC slaves
named kerberos-1.mit.edu and kerberos-2.mit.edu, you would type the
following:
shell% /usr/local/sbin/kadmin
kadmin: addprinc -randkey host/kerberos.mit.edu
etc..
So the manual says to make CNAME records for your KDC's called
kerberos, kerberos-2, etc. Then to add those CNAME records as
principals. So either you or the manual is wrong, or I'm very dense and
I dont get it :)
Frankly it wouldnt make sense to create kerberos, kerberos-1, etc
CNAMES, and then use canonical names everywhere. Whats the point of
having the CNAME then? The whole idea is that you can switch KDC's -
make a slave into master and vice versa easily by changing the CNAME to
point to the correct canonical names, and making some changes in the
kerberos configuration.
See section: "Switching Master and Slave KDCs"
This procedure would be alot more involved if you used canonical names..
> This is part of the confusion about a CNAME record. The canonical name
> is the part on the right side of the record; the left side of the
> CNAME record is the alias. In Kerberos, you never create principals using
> the alias (well, you _can_, but on Unix implementations, it's almost always
> a bad idea).
If thats true, then the manual needs to be corrected.
Ken Hornstein
>scenes). These are just the pricipals for the KDC's, to quote the
>manual again:
Those things you've been adding are what I've been talking about (but really
better termology is "service principals").
>Each KDC needs a host principal in the Kerberos database. You can enter
>these from any host, once the kadmind daemon is running. For example, if
>your master KDC were called kerberos.mit.edu, and you had two KDC slaves
>named kerberos-1.mit.edu and kerberos-2.mit.edu, you would type the
>following:
>shell% /usr/local/sbin/kadmin
>kadmin: addprinc -randkey host/kerberos.mit.edu
>etc..
>
>So the manual says to make CNAME records for your KDC's called
>kerberos, kerberos-2, etc. Then to add those CNAME records as
>principals. So either you or the manual is wrong, or I'm very dense and
>I dont get it :)
Wait, but the manual doesn't say that (at least, the bit you quoted).
It doesn't say anything about creating CNAMEs there. It just says, "If
your KDC is called "kerberos.mit.edu", here is what you run inside
kadmin". I'll admit that it's confusing, but I don't see where it says
to create service principals based on hostname aliases.
>Frankly it wouldnt make sense to create kerberos, kerberos-1, etc
>CNAMES, and then use canonical names everywhere. Whats the point of
>having the CNAME then? The whole idea is that you can switch KDC's -
>make a slave into master and vice versa easily by changing the CNAME to
>point to the correct canonical names, and making some changes in the
>kerberos configuration.
When you start distributing krb5.conf files to clients, you will find it's
painful to change them; the idea behind CNAMEs is that you can change those
without affecting your clients.
>> This is part of the confusion about a CNAME record. The canonical name
>> is the part on the right side of the record; the left side of the
>> CNAME record is the alias. In Kerberos, you never create principals using
>> the alias (well, you _can_, but on Unix implementations, it's almost always
>> a bad idea).
>
>If thats true, then the manual needs to be corrected.
But you haven't shown where the manual says that.
Marius Sorteberg
I Have the same problem, and solved it by creating service tickets for my KDC's "A" records as well.
But I don't think this is the right way of doing it..
>Wait, but the manual doesn't say that (at least, the bit you quoted).
>It doesn't say anything about creating CNAMEs there. It just says, "If
>your KDC is called "kerberos.mit.edu", here is what you run inside
>kadmin". I'll admit that it's confusing, but I don't see where it says
>to create service principals based on hostname aliases.
Look at this section:
http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.4/doc/install.html#SEC12
And this:
http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.4/doc/install.html#SEC59
I like to do this "the right way", so please help, if you know what to do.
Thanks!
Marius Sorteberg
Ken Hornstein
>http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.4/doc/install.html#SEC12
>
>And this:
>http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.4/doc/install.html#SEC59
I looked at those; neither of those sections say, "Create host principals
for your KDCs based on the alias instead of the canonical name".
--Ken