Dump to slave fails; "Password has expired while getting initial ticket"
I've been happily using Kerberos as a single signon on my little home
network for the past 6 1/2 months. In root's crontab on the master KDC
I have a line that calls a shellscript that dumps the database and
calls kprop to distribute it to a slave server every 15 minutes.
Today I noticed that the propagation process last succeeded about ten
days or so, specifically right after the six-month anniversary of my
having started using Kerberos (and having had my primary user's
Kerberos password expire for the first time).
Let us assume I am on realm EXAMPLE.COM in network example.com. When,
on my master KDC, I type
/usr/kerberos/sbin/kprop: Password has expired while getting
(And yes, kpropd is already running on slave_server.) Is this a case
of one of the kadmin principals' passwords also having expired? If so,
is it kadmin/admin, kadmin/changepw, kadmin/history, or what? (For
that matter, what are these principals for, anyway?) Or am I
misunderstanding the error message?
On a separate note, when looking through the list of principals, I
noted a mysterious K/[hidden email] I don't remember creating. Based on
Re: Dump to slave fails; "Password has expired while getting initial ticket"
On Sunday, September 04, 2005 09:21:21 +0000 Yeechang Lee <[hidden email]>
> /usr/kerberos/sbin/kprop: Password has expired while getting
> initial ticket
I believe the principal you're looking for is kprop/fqdn.of.master.kdc
You should probably arrange for it not to have a password expiration
policy. If you're really paranoid, you chould change it manually once in a
while, but I don't think I know anyone _that_ paranoid.
> On a separate note, when looking through the list of principals, I
> noted a mysterious K/[hidden email] I don't remember creating. Based on
> Last modified: Thu Feb 24 21:04:42 PST 2005
> ([hidden email])
That principal corresponds to the master key, which is used to encrypt keys
stored in the database. It's the same master key that you have to enter
(or provide in a stash file) to get the KDC to start up.
-- Jeffrey T. Hutzelman (N3NHS) <[hidden email]>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
I then copied /var/kerberos/krb5kdc/principal from the master to the
slave KDC. Now the database propagation works again.
(I don't know if I only had to turn off password expiration for the
master or slave KDC's host principal, and I surely didn't have to do
so for the third, non-KDC machine in my home network/realm. However, I
figured it made sense to be consistent across the board; after all,
who knows if I'll one day run a slave KDC on the third machinhe as