Dump to slave fails; "Password has expired while getting initial ticket"

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Dump to slave fails; "Password has expired while getting initial ticket"

Yeechang Lee
I've been happily using Kerberos as a single signon on my little home
network for the past 6 1/2 months. In root's crontab on the master KDC
I have a line that calls a shellscript that dumps the database and
calls kprop to distribute it to a slave server every 15 minutes.

Today I noticed that the propagation process last succeeded about ten
days or so, specifically right after the six-month anniversary of my
having started using Kerberos (and having had my primary user's
Kerberos password expire for the first time).

Let us assume I am on realm EXAMPLE.COM in network example.com. When,
on my master KDC, I type

    $ sudo kprop -f /var/kerberos/krb5kdc/slave_datatrans \
    slave_server.example.com

I am told

    /usr/kerberos/sbin/kprop: Password has expired while getting
    initial ticket

(And yes, kpropd is already running on slave_server.) Is this a case
of one of the kadmin principals' passwords also having expired? If so,
is it kadmin/admin, kadmin/changepw, kadmin/history, or what? (For
that matter, what are these principals for, anyway?) Or am I
misunderstanding the error message?

On a separate note, when looking through the list of principals, I
noted a mysterious K/[hidden email] I don't remember creating. Based on

    Last modified: Thu Feb 24 21:04:42 PST 2005
    ([hidden email])

(The date I started using Kerberos) I presume it's some sort of
administrative entry, but what does it do?

--
<URL:http://www.pobox.com/~ylee/> PERTH ----> *

Homemade 2.8TB RAID 5 storage array:
<URL:http://groups.google.ca/groups?selm=slrnd1g04a.5mt.ylee%40pobox.com>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Dump to slave fails; "Password has expired while getting initial ticket"

Jeffrey Hutzelman


On Sunday, September 04, 2005 09:21:21 +0000 Yeechang Lee <[hidden email]>
wrote:


>     /usr/kerberos/sbin/kprop: Password has expired while getting
>     initial ticket

I believe the principal you're looking for is kprop/fqdn.of.master.kdc
You should probably arrange for it not to have a password expiration
policy.  If you're really paranoid, you chould change it manually once in a
while, but I don't think I know anyone _that_ paranoid.

> On a separate note, when looking through the list of principals, I
> noted a mysterious K/[hidden email] I don't remember creating. Based on
>
>     Last modified: Thu Feb 24 21:04:42 PST 2005
>     ([hidden email])

That principal corresponds to the master key, which is used to encrypt keys
stored in the database.  It's the same master key that you have to enter
(or provide in a stash file) to get the KDC to start up.

-- Jeffrey T. Hutzelman (N3NHS) <[hidden email]>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Dump to slave fails; "Password has expired while getting initial ticket"

Yeechang Lee
Jeffrey Hutzelman wrote:
> >     /usr/kerberos/sbin/kprop: Password has expired while getting
> >     initial ticket
>
> I believe the principal you're looking for is kprop/fqdn.of.master.kdc

Close; it turned out to be host/[hidden email].

> You should probably arrange for it not to have a password expiration
> policy.

For others benefit, here's how I did this:

kadmin: listprincs

    [...]

    host/[hidden email]
    host/[hidden email]
    host/[hidden email]

    [...]

kadmin: getprinc host/[hidden email]

[...]

    Password expiration date: Thu Aug 25 12:30:07 PDT 2005

[...]

kadmin: modify_principal -pwexpire never host/[hidden email]
    Principal "host/[hidden email]" modified.

kadmin: modify_principal -pwexpire never host/[hidden email]
    Principal "host/[hidden email]" modified.

kadmin: modify_principal -pwexpire never \
        host/[hidden email]
    Principal "host/[hidden email]" modified.

I then copied /var/kerberos/krb5kdc/principal from the master to the
slave KDC. Now the database propagation works again.

(I don't know if I only had to turn off password expiration for the
master or slave KDC's host principal, and I surely didn't have to do
so for the third, non-KDC machine in my home network/realm. However, I
figured it made sense to be consistent across the board; after all,
who knows if I'll one day run a slave KDC on the third machinhe as
well?)

--
<URL:http://www.pobox.com/~ylee/> PERTH ----> *

Homemade 2.8TB RAID 5 storage array:
<URL:http://groups.google.ca/groups?selm=slrnd1g04a.5mt.ylee%40pobox.com>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos