1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.KERBEROS

  • How to view KVNO on slave

    From Mike@21:1/5 to All on Sat Oct 7 11:18:32 2023
    Folks,

    I have recently upgraded my server estate and this in turn uncovered my
    aging 3DES kerberos principles. I've been thought and rekeyed them as
    with AES and this has created a little problem. Something went wrong
    with the service principle for one of my Apache servers and now key
    based authentication is no longer working on that host. I've been
    trying to debug it to no avail. Unfortuantely the mod_auth_gssapi, as
    far as I can tell, doesn't like giving too much into out.

    I'm surmising that the issue might be that the service principle may not
    have replicated corerctly to the slave server, which is used by the
    Apache host. I can see the ticket details on the master using
    kadmin.local and getprinc and I can see the keytab info using ktutil.
    My question is this: How does one view the KVNO in the Slave DB? I
    imaine it's probably available via kdb5_util dump but unfortunatly I
    have not found any documents explaining the fields in the dump.

    If anyone can advise on how to get the KVNO from the slave or indeed has
    any other advice, it would be gratefully receieved.

    Regards,
    Mike.

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCAAdFiEELLIsu3X0rLdOylbZ4Vi9eUgjvvMFAmUhMHUACgkQ4Vi9eUgj vvOOxxAAhWanc/mz3scEEa4eokmmNdXOVqqvqP/zPYe1e9EfwSIvEnVfLyBgg4AJ MMWTv5iaAx6L2xlxwffMLX/4oW+++PuN+zNCteqpZTXC44zXyK8kphjD8IidtOg+ tlBuUySzkXS1XkLapY0pDy00nS7Uv4IYB56PiW3ts+jpVyyDCWjNaMMBSXXEOxDZ +y4X3sZR3durMD/uSIRIqco0vxkPf089zbM8fLhUb3yYMufiSMWCJ5kLR8itc9fB /ErppXQVDQlupEGJvw50sNkw4t2HTquTcm9wL/SAyjLqpbjM6w1P8GjpGZfWLnCM b3fyc9kEYcR+nnWBSKH51QA0fpCA5lI/rAVKXSg//v+pfPS/9etaV8GOgpKXwzyU dEbqLxvEqCCHNcuxM9tgko2Gp4sde1TGf0J+9d4bMyzuzylB5zM6JwTq5mnGoDGg O29/wfzFRDwTJW5t1LxtFNcq9WaETY8P6g5evizeFSLb/8YPsAyINm9QTxWzouGv 1dGihAj+D03TvXuS3ZAHIfcVUMh0EIt+ekJmi9yn80iq1sDnW+Cl+rEho6PCbfXU Eybze/eCxHfsR+SqPbro/t0+7cTPDV4/wsbfrzZzWSb1UlN65UH9Strb1ef0EUQO GAKCXFsqSH6gFH0jst8jLpwgYunnP2/6vFHLW8YDjnLBdLwAmRg=
    =ngwW
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Russ Allbery@21:1/5 to Mike via Kerberos on Sat Oct 7 09:27:00 2023
    Mike via Kerberos <kerberos@mit.edu> writes:

    I'm surmising that the issue might be that the service principle may not
    have replicated corerctly to the slave server, which is used by the
    Apache host. I can see the ticket details on the master using
    kadmin.local and getprinc and I can see the keytab info using ktutil.
    My question is this: How does one view the KVNO in the Slave DB? I
    imaine it's probably available via kdb5_util dump but unfortunatly I
    have not found any documents explaining the fields in the dump.

    You can use kadmin.local on the slave the same way that you use it on the master, I'm fairly sure. It's been a while since I've done this, but I'm pretty sure the database is the same and the tool doesn't have any idea
    whether you're running it on a master or a slave.

    I would expect you to get replication errors if there was a replication problem. If you're only doing incremental replication and you think
    something may have gone wrong, you can always do a full replication, which guarantees that the slave is identical to the master.

    --
    Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Mike@21:1/5 to Russ Allbery on Thu Oct 12 14:01:30 2023
    To: kerberos@mit.edu (Mike via Kerberos)

    On 07/10/2023 17:27, Russ Allbery wrote:
    Mike via Kerberos <kerberos@mit.edu> writes:

    I'm surmising that the issue might be that the service principle may not
    have replicated corerctly to the slave server, which is used by the
    Apache host. I can see the ticket details on the master using
    kadmin.local and getprinc and I can see the keytab info using ktutil.
    My question is this: How does one view the KVNO in the Slave DB? I
    imaine it's probably available via kdb5_util dump but unfortunatly I
    have not found any documents explaining the fields in the dump.

    You can use kadmin.local on the slave the same way that you use it on the master, I'm fairly sure. It's been a while since I've done this, but I'm pretty sure the database is the same and the tool doesn't have any idea whether you're running it on a master or a slave.

    I would expect you to get replication errors if there was a replication problem. If you're only doing incremental replication and you think something may have gone wrong, you can always do a full replication, which guarantees that the slave is identical to the master.


    Hi Russ,

    Thanks for the info. You were indeed correct, kadmin.local can be used
    on the slave DB. It's not installed by default on Debian, at least, as
    it comes as part of the kadmin package. I installed it and saw that the
    KVNO is up to date.

    I eventually happened upon the answer in the kdc.log on the master. It
    was a DNS mix up. The web server has two DNS names
    server.zone.example.com and server.example.com. The service principal
    was HTTP/server.zone.example.com and the log was complaining about not
    being able to find a service principal for HTTP/server.example.com. So
    I created one, added it to the keytab and things started working again!

    It was simple in the end, trouble is I'd been concentrating on the
    logging of the slave server and the web server neither of which recorded anything helpful.

    The only weird thing is that it also (I later found out) affected
    another web server in the same way but has been working for years. It
    wasn't until I rekeyed the service principal that the problem seemed to
    arise. I guess that part will remain a mystery. It is now fixed
    however and I thank you again for your assistance.

    Kind regards,
    Mike.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)