"Richard E. Silverman" <[EMAIL PROTECTED]> writes:
...
> Check the key version number:
>
> # klist -k /etc/krb5.keytab
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 14 host/[EMAIL PROTECTED]
>
> $ kvno host/[EMAIL PROTECTED]
> host/[EMAIL PROTECTED]: kvno = 14
>
> Make sure they match. If they don't, re-extact the key:
>
> # kadmin
> Password for you/[EMAIL PROTECTED]:
> kadmin: ktadd -k /etc/krb5.keytab host/[EMAIL PROTECTED]
Couple of things.
There is another way to check out whether a keytab works: kinit.
This is good because it's not impossible to get a keytab that *appears*
to have the same kvno but doesn't work. (for instance, delete the
principal, then recreate it.)
For instance:
spam# klist -ekt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
3 08/19/04 03:56:25 imap/[EMAIL PROTECTED] (Triple DES cbc mode with
HMAC/sha1)
3 08/19/04 03:56:25 imap/[EMAIL PROTECTED] (DES cbc mode with
CRC-32)
3 03/22/06 04:01:29 pop/[EMAIL PROTECTED] (Triple DES cbc mode with
HMAC/sha1)
3 03/22/06 04:01:29 pop/[EMAIL PROTECTED] (DES cbc mode with CRC-32)
spam#
tells me I have 2 principals, each with 2 encryption types,
(and when those keytab entries were written, if you care.)
spam# kinit -k -t /etc/krb5.keytab imap/spam.ifs.umich.edu
spam# klist -5fea
Ticket cache: FILE:/tmp/krb5cc_25131_eVt6pe
Default principal: imap/[EMAIL PROTECTED]
Valid starting Expires Service principal
07/11/06 00:45:16 07/12/06 00:45:16 krbtgt/[EMAIL PROTECTED]
Flags: FPI, Etype (skey, tkt): Triple DES cbc mode with
HMAC/sha1, Triple DES cbc mode with HMAC/sha1
Addresses: (none)
spam#
tells me that I have a keytab entry that actually works for
imap/[EMAIL PROTECTED], also it looks likely that I
used 3des to get that key (plus some other information of no particular
consequence here.)
Another clue that's sometimes useful is log file entries, in this case,
in krb5kdc's log:
Jul 11 00:45:16 AS_REQ (7 etypes {18 17 16 23 1 3 2}) 141.211.1.36:
ISSUE: authtime 1152593116, etypes {rep=16 tkt=16 ses=16}, imap/[EMAIL
PROTECTED] for krbtgt/[EMAIL PROTECTED]
For instance, that can tell you which principal you were actually trying to
authenticate
as.
Secondly, in this case, since it appears that "jonr" is trying to
set up replication, it's important to be very careful about configuration
files. Specifically, you probably don't want krb5.conf entries (or DNS
entries) that point to slaves until you have replication working to those
slaves.
If you're somehow trying to get a ticket from a slave that has an old
copy of the database, there's definitely opportunity for confusion.
-Marcus
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
