[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: hprop problem with krb4-db database
Florian Daniel Otel <florian.otel@gmail.com> writes:
> Hello all,
>
> I am trying to migrate from a KTH-KRB4 installation to Heimdal and I
> have two questions
>
> 1) hprop refuses to work on the krb4-db format
>
> The problem I have is that "hprop" refuses to convert the principal
> database when in given "krb4-db" format:
>
> [....]
> root@florians:/var/lib/heimdal-kdc# hprop -d ./principal.db
> --source=krb4-db -n > /tmp/test
> kerb_dbl_init: couldn't open /var/lib/kerberos/principal.ok
> open: No such file or directory
> root@florians:/var/lib/heimdal-kdc# # Ok...That dir doesn't exit, I
> can create if you really need it (why would you want it...??)
> root@florians:/var/lib/heimdal-kdc# mkdir -p /var/lib/kerberos
> root@florians:/var/lib/heimdal-kdc# hprop -d ./principal.db
> --source=krb4-db -n > /tmp/test
> kerb_dbl_init: couldn't open /var/lib/kerberos/principal.ok
> open: No such file or directory
> root@florians:/var/lib/heimdal-kdc# # Now this is really weird...I
> assumed that was some sort of lock file ....
> root@florians:/var/lib/heimdal-kdc# touch /var/lib/kerberos/principal.ok
> root@florians:/var/lib/heimdal-kdc# hprop -d ./principal.db
> --source=krb4-db -n > /tmp/test
> hprop: kerb_db_iterate: Service expired (kerberos)
> [...]
>
> However, hprop is a bit more cooperating if the dabase is given in
> ASCII format (i.e. "krb4-dump" format):
Since you say this, I wont comment on the problem above.
> [...]
> root@florians:/var/lib/heimdal-kdc# hprop -d ./slave_dump
> --source=krb4-dump -n > /tmp/test
> hprop: krb5_425_conv_principal rcmd.server1@MY.REALM: Failed to
> convert v4 principal
It tries to do mapping between the service name "rcmd.server1" that is the
kerberos4 style name to the FQDN host/service1.example.org@MY.REALM", but
since the machine can't be found in dns or the [domain_realm] mapping file,
it failes. Check if the machine is does exists, and if it does, that the
FQDN is and why it hprop can't resolve the address in KDC.
> 2) hprop/hpropds and keytabs for different principals (and on which servers?)
>
> Since the documentation is ...well...."very scarce", I have the
> following related question: If I want to set up a Heimdal
> Master/Slave KDC replication with hprop/hpropd for which of these
> principals do I need keytabs:
You have found the info documentation ? Its both in the installed tree and
a html'ized version on the heimdal webpage.
>
> ... kadmin/admin on the master KDC ?
> ... kadmin/changepw on the master KDC ? For this principal apparently the
> only way to add a keytab on the master KDC is via "kadmin -l". Trying to do
> that using "ktutuil get kadmin/changepw" locally failed with " "Key
> table entry not found" ??
kadmin and kpasswdd reads this key directly from the database.
> ... kadmin/hprop on the master KDC ?
> ... host/master-KDC.mydomain.name on the master KDC ? (The docs
> say the master KDC will use kadmin/hprop for "hprop-ing" with the slaves...?!)
> ....hosts/slave-KDC.mydomain.name on slave KDCs ?
> ... hprop/slave-kerveros-server.mydomain.name on slave KDCs ?
This is described in the info documentation.
> P.S. Any suggesstions/pointers to more resources about how to migrate
> from KRB4-KTH to Heimdal would be highly appreciated.
Sorry, I tried to write down all I need when I did the conversion, and that
is whats in the documentation. It was so long ago I can no longer rememeber
all details.
Love
PGP signature