On 2022-07-17 21:03, Ken Hornstein wrote:
[27738] 1658108981.225629: Received error from KDC: -1765328377/Server
not found in Kerberos database
Which suggests you did not (although it wasn't from the primary KDC,
which
suggests that maybe whatever KDC you used didn't have it replicated
yet).
The KDC logs should explain what went wrong.
The KDC logs revealed that indeed the principal did not exist. I had
updated
the krb5.conf to use a cname for the admin principal and kpropd is using
the
entry in the krb5.conf without canonicalization. I changed the
krb5.conf
file to use host names that matched the principals that I had created.
That
along with making sure kadm5.acl and kpropd.acl had the appropriate
entries
solved my problem. Thanks for the pointer. (Who would have thought to
look
in the logs? Certainly now me.)
I am a bit surprised that the cnames in the krb5.conf file were the
problem.
I would like to use a common krb5.conf file everywhere deployed by our
configuration management processes. I guess one what would be to create
principals for the cnames. Seems a bit unclean. Or just have a unique
krb5.conf for kdc systems.
Thanks again Greg and Ken for the help. My head was getting sore from
pounding against that wall.
Bill
--
Bill MacAllister <[email protected]>
"Can't sing louder than the guns when I'm gone,
so I guess I'll have to do it while I'm here."
Phil Ochs
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
