hprop problem with krb4-db database

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

hprop problem with krb4-db database

Florian Daniel Otel
Hello all,

I am trying to migrate from a KTH-KRB4 installation to Heimdal and I
have two questions

1) hprop refuses to work on the krb4-db format

The problem I have is that "hprop" refuses to convert the principal
database when in given "krb4-db" format:

[....]
root@florians:/var/lib/heimdal-kdc# hprop -d ./principal.db
--source=krb4-db -n > /tmp/test
kerb_dbl_init: couldn't open /var/lib/kerberos/principal.ok
open: No such file or directory
root@florians:/var/lib/heimdal-kdc# # Ok...That dir doesn't exit, I
can create if you really need it (why would you want it...??)
root@florians:/var/lib/heimdal-kdc# mkdir -p /var/lib/kerberos
root@florians:/var/lib/heimdal-kdc# hprop -d ./principal.db
--source=krb4-db -n > /tmp/test
kerb_dbl_init: couldn't open /var/lib/kerberos/principal.ok
open: No such file or directory
root@florians:/var/lib/heimdal-kdc# # Now this is really weird...I
assumed that was some sort of lock file ....
root@florians:/var/lib/heimdal-kdc# touch /var/lib/kerberos/principal.ok
root@florians:/var/lib/heimdal-kdc# hprop -d ./principal.db
--source=krb4-db -n > /tmp/test
hprop: kerb_db_iterate: Service expired (kerberos)
[...]

However, hprop is a bit more cooperating if the dabase is given in
ASCII format (i.e. "krb4-dump" format):

[...]
root@florians:/var/lib/heimdal-kdc# hprop -d ./slave_dump
--source=krb4-dump -n > /tmp/test
hprop: krb5_425_conv_principal [hidden email]: Failed to
convert v4 principal
hprop: krb5_425_conv_principal [hidden email]: Failed to
convert v4 principal
hprop: krb5_425_conv_principal [hidden email]: Failed to
convert v4 principal
hprop: krb5_425_conv_principal [hidden email]: Failed to
convert v4 principal
hprop: krb5_425_conv_principal [hidden email]: Failed to
convert v4 principal
hprop: krb5_425_conv_principal [hidden email]: Failed to
convert v4 principal
hprop: krb5_425_conv_principal [hidden email]: Failed to
convert v4 principal
hprop: krb5_425_conv_principal [hidden email]: Failed to
convert v4 principal

Any ideas ?

2) hprop/hpropds and  keytabs for different principals (and on which servers?)

Since the documentation is ...well...."very scarce", I have the
following related question: If I want to set up a Heimdal
Master/Slave KDC replication with hprop/hpropd for which of  these
principals do I need keytabs:

... kadmin/admin  on the master KDC ?
... kadmin/changepw  on the master KDC ? For this principal apparently the
only way to add a keytab on the master KDC is via "kadmin -l". Trying to do
that using "ktutuil get kadmin/changepw" locally failed with " "Key
table entry not found" ??
... kadmin/hprop  on the master KDC  ?
... host/master-KDC.mydomain.name  on the master KDC ? (The docs
say the master KDC  will use kadmin/hprop for "hprop-ing" with the slaves...?!)
....hosts/slave-KDC.mydomain.name on slave KDCs ?
... hprop/slave-kerveros-server.mydomain.name on slave KDCs ?

TIA,

Florian

P.S. Any suggesstions/pointers to  more resources about how to migrate
from KRB4-KTH to Heimdal would be highly appreciated.

Reply | Threaded
Open this post in threaded view
|

Re: hprop problem with krb4-db database

Love Hörnquist Åstrand

Florian Daniel Otel <[hidden email]> writes:

> Hello all,
>
> I am trying to migrate from a KTH-KRB4 installation to Heimdal and I
> have two questions
>
> 1) hprop refuses to work on the krb4-db format
>
> The problem I have is that "hprop" refuses to convert the principal
> database when in given "krb4-db" format:
>
> [....]
> root@florians:/var/lib/heimdal-kdc# hprop -d ./principal.db
> --source=krb4-db -n > /tmp/test
> kerb_dbl_init: couldn't open /var/lib/kerberos/principal.ok
> open: No such file or directory
> root@florians:/var/lib/heimdal-kdc# # Ok...That dir doesn't exit, I
> can create if you really need it (why would you want it...??)
> root@florians:/var/lib/heimdal-kdc# mkdir -p /var/lib/kerberos
> root@florians:/var/lib/heimdal-kdc# hprop -d ./principal.db
> --source=krb4-db -n > /tmp/test
> kerb_dbl_init: couldn't open /var/lib/kerberos/principal.ok
> open: No such file or directory
> root@florians:/var/lib/heimdal-kdc# # Now this is really weird...I
> assumed that was some sort of lock file ....
> root@florians:/var/lib/heimdal-kdc# touch /var/lib/kerberos/principal.ok
> root@florians:/var/lib/heimdal-kdc# hprop -d ./principal.db
> --source=krb4-db -n > /tmp/test
> hprop: kerb_db_iterate: Service expired (kerberos)
> [...]
>
> However, hprop is a bit more cooperating if the dabase is given in
> ASCII format (i.e. "krb4-dump" format):
Since you say this, I wont comment on the problem above.
> [...]
> root@florians:/var/lib/heimdal-kdc# hprop -d ./slave_dump
> --source=krb4-dump -n > /tmp/test
> hprop: krb5_425_conv_principal [hidden email]: Failed to
> convert v4 principal

It tries to do mapping between the service name "rcmd.server1" that is the
kerberos4 style name to the FQDN host/[hidden email]", but
since the machine can't be found in dns or the [domain_realm] mapping file,
it failes. Check if the machine is does exists, and if it does, that the
FQDN is and why it hprop can't resolve the address in KDC.

> 2) hprop/hpropds and  keytabs for different principals (and on which servers?)
>
> Since the documentation is ...well...."very scarce", I have the
> following related question: If I want to set up a Heimdal
> Master/Slave KDC replication with hprop/hpropd for which of  these
> principals do I need keytabs:

You have found the info documentation ? Its both in the installed tree and
a html'ized version on the heimdal webpage.

>
> ... kadmin/admin  on the master KDC ?
> ... kadmin/changepw  on the master KDC ? For this principal apparently the
> only way to add a keytab on the master KDC is via "kadmin -l". Trying to do
> that using "ktutuil get kadmin/changepw" locally failed with " "Key
> table entry not found" ??

kadmin and kpasswdd reads this key directly from the database.

> ... kadmin/hprop  on the master KDC  ?
> ... host/master-KDC.mydomain.name  on the master KDC ? (The docs
> say the master KDC  will use kadmin/hprop for "hprop-ing" with the slaves...?!)
> ....hosts/slave-KDC.mydomain.name on slave KDCs ?
> ... hprop/slave-kerveros-server.mydomain.name on slave KDCs ?

This is described in the info documentation.

> P.S. Any suggesstions/pointers to  more resources about how to migrate
> from KRB4-KTH to Heimdal would be highly appreciated.

Sorry, I tried to write down all I need when I did the conversion, and that
is whats in the documentation. It was so long ago I can no longer rememeber
all details.

Love



attachment0 (487 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: hprop problem with krb4-db database

Florian Daniel Otel
Love, all

First and foremost, thanks for the patience of helping me through
this. Obviously, I've never done this before, so I might do some
rookie mistakes..

On 11/3/05, Love Hörnquist Åstrand <[hidden email]> wrote:

> > However, hprop is a bit more cooperating if the dabase is given in
> > ASCII format (i.e. "krb4-dump" format):
>
> Since you say this, I wont comment on the problem above.

Well, this doesn't answer the question on why the above error occurs,
but still. Moving on.


> > [...]
> > root@florians:/var/lib/heimdal-kdc# hprop -d ./slave_dump
> > --source=krb4-dump -n > /tmp/test
> > hprop: krb5_425_conv_principal [hidden email]: Failed to
> > convert v4 principal
>
> It tries to do mapping between the service name "rcmd.server1" that is the
> kerberos4 style name to the FQDN host/[hidden email]", but
> since the machine can't be found in dns or the [domain_realm] mapping file,
> it failes. Check if the machine is does exists, and if it does, that the
> FQDN is and why it hprop can't resolve the address in KDC.

Got that, will fix and/or recreate those principals in the new
database (no biggie). However, I have a bigger problem

First, I manually removed from that krb4-dump file  all "rcmd..."  
other "questionable"/already existing principals (e.g.  "changepw",
"krbtgt", etc). Btw, do I really need to remove them manually ??
Anyway. I tried the procedure below both with and without those
principals in the dump, with same result.

After "cleaning" the dump, when trying to importing the resulting
krb4-dump my resulting principal database becomes garbled:

root@florians:/var/lib/heimdal-kdc# kinit oteflo0507/admin
oteflo0507/[hidden email]'s Password:
kinit: NOTICE: ticket renewable lifetime is 1 week

root@florians:/var/lib/heimdal-kdc# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: oteflo0507/[hidden email]

  Issued           Expires          Principal
Nov  4 10:27:51  Nov  4 20:27:51  krbtgt/[hidden email]
Nov  4 10:27:51  Nov  4 20:27:51  krbtgt/[hidden email]
Nov  4 10:28:21  Nov  4 11:28:21  kadmin/[hidden email]

   V4-ticket file: /tmp/tkt0
        Principal: [hidden email]

  Issued           Expires          Principal
Nov  4 10:27:51  Nov  4 20:27:51  [hidden email]


root@florians:/var/lib/heimdal-kdc# kadmin list */*
  kadmin/[hidden email]
  kadmin/[hidden email]
  kadmin/[hidden email]
  oteflo0507/[hidden email]
  changepw/[hidden email]
  krbtgt/[hidden email]
  host/[hidden email]
  host/[hidden email]
  hprop/[hidden email]
  hprop/[hidden email]


root@florians:/var/lib/heimdal-kdc# hprop -n -d ./slave_dump.working2
--source=krb4-dump --master-key=./.k   | hpropd -n

root@florians:/var/lib/heimdal-kdc# kadmin list */*
kadmin: kadm5_get_principals: Key table entry not found

kadmin> root@florians:/var/lib/heimdal-kdc# kadmin -l
kadmin> list */*
kadmin: get K/[hidden email]: Invalid argument
kadmin: get afs/[hidden email]: Invalid argument
kadmin: get httpd/[hidden email]: Invalid argument
kadmin: get tobbe/[hidden email]: Invalid argument
kadmin: get httpd/[hidden email]: Invalid argument
kadmin: get httpd/[hidden email]: Invalid argument
kadmin: get tobbe/[hidden email]: Invalid argument
kadmin: get httpd/[hidden email]: Invalid argument
kadmin: get httpd/[hidden email]: Invalid argument
kadmin: get httpd/[hidden email]: Invalid argument
kadmin: get httpd/[hidden email]: Invalid argument
kadmin: get httpd/[hidden email]: Invalid argument
kadmin: get httpd/[hidden email]: Invalid argument
kadmin: get backup/[hidden email]: Invalid argument
kadmin: get httpd/[hidden email]: Invalid argument
kadmin: get user1/[hidden email]: Invalid argument
kadmin: get user2/[hidden email]: Invalid argument
kadmin: get user3/[hidden email]: Invalid argument
kadmin: get user4/[hidden email]: Invalid argument
kadmin: get user5/[hidden email]: Invalid argument
kadmin: get user6/[hidden email]: Invalid argument
...

root@florians:/var/lib/heimdal-kdc# kdestroy

root@florians:/var/lib/heimdal-kdc# kinit oteflo0507/admin
oteflo0507/[hidden email]'s Password:
kinit: Can't send request (send_to_kdc)
kinit: krb5_get_init_creds: unable to reach any KDC in realm IPSC.SECODE.COM


Thanks again for any help

Reply | Threaded
Open this post in threaded view
|

Re: hprop problem with krb4-db database

Florian Daniel Otel
Some typos in prev mail (anonymizing  REALMS and hostnames didn't work
optimally). Sorry for that.