Jeffrey Hutzelman wrote:
> > /usr/kerberos/sbin/kprop: Password has expired while getting
> > initial ticket
>
> I believe the principal you're looking for is kprop/fqdn.of.master.kdc
Close; it turned out to be host/[EMAIL PROTECTED]
> You should probably arrange for it not to have a password expiration
> policy.
For others benefit, here's how I did this:
kadmin: listprincs
[...]
host/[EMAIL PROTECTED]
host/[EMAIL PROTECTED]
host/[EMAIL PROTECTED]
[...]
kadmin: getprinc host/[EMAIL PROTECTED]
[...]
Password expiration date: Thu Aug 25 12:30:07 PDT 2005
[...]
kadmin: modify_principal -pwexpire never host/[EMAIL PROTECTED]
Principal "host/[EMAIL PROTECTED]" modified.
kadmin: modify_principal -pwexpire never host/[EMAIL PROTECTED]
Principal "host/[EMAIL PROTECTED]" modified.
kadmin: modify_principal -pwexpire never \
host/[EMAIL PROTECTED]
Principal "host/[EMAIL PROTECTED]" modified.
I then copied /var/kerberos/krb5kdc/principal from the master to the
slave KDC. Now the database propagation works again.
(I don't know if I only had to turn off password expiration for the
master or slave KDC's host principal, and I surely didn't have to do
so for the third, non-KDC machine in my home network/realm. However, I
figured it made sense to be consistent across the board; after all,
who knows if I'll one day run a slave KDC on the third machinhe as
well?)
--
<URL:http://www.pobox.com/~ylee/> PERTH ----> *
Homemade 2.8TB RAID 5 storage array:
<URL:http://groups.google.ca/groups?selm=slrnd1g04a.5mt.ylee%40pobox.com>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
