Bill MacAllister <[email protected]> writes: > The KDC logs revealed that indeed the principal did not exist. I had > updated the krb5.conf to use a cname for the admin principal and kpropd > is using the entry in the krb5.conf without canonicalization. I changed > the krb5.conf file to use host names that matched the principals that I > had created. That along with making sure kadm5.acl and kpropd.acl had > the appropriate entries solved my problem. Thanks for the pointer. > (Who would have thought to look in the logs? Certainly now me.)
Is this the thing where kpropd always uses exactly the hostname you have listed and doesn't do any DNS canonicalization? If so, I've run into that before and I think I just put keys for all of the principals that could be formed from all the possible replica names in the keytab file for the replicas and my recollection is that worked, although it's been a few years. > I guess one what would be to create principals for the cnames. Right, yeah, that. Similar to what we had to do with LDAP servers. -- Russ Allbery ([email protected]) <https://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
