kprop problem: Bad response (during sendauth exchange)

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

kprop problem: Bad response (during sendauth exchange)

Shivakeshav Santi
Hi,

   I am getting the following error when ever I use kprop to propogate the
database from master to slave.

on master :
kprop -f to_slav -s kprop.keytab slave
Bad response (during sendauth exchange) while authenticating to server

I have the required host key in the host keytab on master and slave.
I have both master and slave listed in the kpropd.acl on master and slave.

every thing else seems to be fine. Did anyone encounter such problem ?

Thanks,

--
Shivakeshav Santi

Programmer Analyst/Senior

Cornell Information Technologies
120 Maple Avenue
Cornell University
Tel :6072551916(O)

Ability may get you to the top, but only character will keep you there .....




_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: kprop problem: Bad response (during sendauth exchange)

Mike Friedman
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 17 Jun 2005 at 16:38 (-0400), Shivakeshav Santi wrote:

>   I am getting the following error when ever I use kprop to propagate
> the database from master to slave.
>
> on master :
> kprop -f to_slav -s kprop.keytab slave
> Bad response (during sendauth exchange) while authenticating to server
>
> I have the required host key in the host keytab on master and slave. I
> have both master and slave listed in the kpropd.acl on master and slave.
>
> every thing else seems to be fine. Did anyone encounter such problem ?

Did you by any chance download the slave's host keytab info a second time
after populating the keytab file on the slave?  If so, you'd have a
problem.  This is because each ktutil download for a principal causes the
key to be re-randomized in the KDC before the download.  Thus, the second
download would cause the slave host key in the KDC no longer to match
what's in the keytab file on the slave.  Then, when the kprop client on
the master gets its service ticket for kpropd, it will be encrypted in the
*current* slave host key.  Since this would no longer agree with what's in
the slave's keytab, authentication to kpropd on the slave would fail.

On the other hand, if you didn't do any of this, then ... never mind!

Mike

_____________________________________________________________________
Mike Friedman                   System and Network Security
[hidden email]          2484 Shattuck Avenue
1-510-642-1410                  University of California at Berkeley
http://ack.Berkeley.EDU/~mikef  http://security.berkeley.edu
_____________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBQrM+la0bf1iNr4mCEQKIuACg5VUBQsIr30phTlF1RoTQPZ4mlgUAoOit
tLjWTs2+MmQb3+U3BZTVdbPo
=/uY8
-----END PGP SIGNATURE-----
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev