[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: iprop problem



> Don't know about 64-bit issues, but seems like it should be OK.  You  
> can check it with kinit --keytab=/var/heimdal/<iprop-keytab> iprop/ 
> <machine>.

If you are referring whether this gives me a ticket, it does. BTW, is
there a strong reason not to keep iprop keys in /etc/krb5.keytab? Of
course, iprop then needs to be root, but at least Debian iprop runs as
root out-of-the-box, so changing that may prove troublesome.

> I suggest you delete the relevant files from /var/heimdal (excepting  
> the keytab that I assume you put there), and start from scratch.   
> Could you give us a step-by-step of what you're trying and when it  
> fails?

Here goes. First, I scapped the whole heimdal-kdc from the machine.
(For Debianists: aptitude purge heimdal-kdc.) After that, reinstall the
beast (and config files), start kdc and start iprop slave. The first
indication of trouble is in heimdal-krb5lib.log:

2006-11-02T09:41:09 kadm5_log_replay: 25: Decrypt integrity check failed

After that, there are many, many messages like that and even some "Entry
already exists in database" -messages. (Is iprop slave trying to get the
same entry more than once from the master? Why?)

After the db is in sync (which takes horribly long, presumably due to the
aforementioned errors), I try to kinit:

kelvin:/var/lib/heimdal-kdc# kinit
juhaj/admin@TFY.UTU.FI's Password: 
kinit: krb5_get_init_creds: Client (juhaj/admin@TFY.UTU.FI) unknown

Simultaneously kdc.log says (I sanitised it a bit):

AS-REQ juhaj/admin@TFY.UTU.FI from IPv4:X for krbtgt/TFY.UTU.FI@TFY.UTU.FI
UNKNOWN -- juhaj/admin@TFY.UTU.FI: Decrypt integrity check failed

I know that "Decrypt integrity check failed" is almost synonymous to
"incorrect password", but I can vouch for that: I even tried copy & paste
the password.

Can there be something wrong with the database itself? (It works fine,
though.) Would it help, if I did the initial sync with kadmin dump on
master and kadmin load on slave? How would I encrypt the db on the slave
in that case?

-Juha

-- 
                 -----------------------------------------------
                | Juha Jäykkä, juolja@utu.fi			|
		| Laboratory of Theoretical Physics		|
		| Department of Physics, University of Turku	|
                | home: http://www.utu.fi/~juolja/              |
                 -----------------------------------------------

--Sig_d8pxXhuiTGMZI5W8u7cbUgC
Content-Type: application/pgp-signature; name¬gnature.asc
Content-Disposition: attachment; filename¬gnature.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFSa227S6DRdEiFtYRAo17AKDNoXEckgc2r5NWfeaqIn52VkprDgCgiL5g
0aFRrl3v+/hgyS03WylY0K8GXg
-----END PGP SIGNATURE-----

--Sig_d8pxXhuiTGMZI5W8u7cbUgC--