[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Incorrect net address with hpropd/kinit on KDC
Hello,
I seem to be having issues with the infamous "incorrect net address" under
heimdal on OpenBSD 3.7.
kinit (heimdal-0.6.3/OpenBSD)
Copyright 1999-2004 Kungliga Tekniska Högskolan
Send bug-reports to bugs@openbsd.org
On my kdc (aka: bob), which is a multihomed machine with several public and
private IPv4/IPv6 addresses, I see the following...
$ kinit
epancer@FOO.EXAMPLE.NET's Password:
kinit: krb5_get_init_creds: Incorrect net address
However, if I do the following I will get a ticket.
$ kinit --no-address
epancer@FOO.EXAMPLE.NET's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
$ klist -v
Credentials cache: FILE:/tmp/krb5cc_1002
Principal: epancer@FOO.EXAMPLE.NET
Cache version: 4
Server: krbtgt/FOO.EXAMPLE.NET@FOO.EXAMPLE.NET
Ticket etype: des3-cbc-sha1, kvno 1
Auth time: Jun 1 11:12:03 2005
End time: Jun 1 11:38:03 2005
Renew till: Jun 8 11:12:03 2005
Ticket flags: forwardable, renewable, initial
Addresses:
Unfortunately, this then impacts hprop.
$ /usr/libexec/hprop slave
hprop: krb5_get_init_creds: Incorrect net address
On a similar host that is multihomed in the same manner, I do not have
problems getting a ticket (though it calls back to the KDC in question
here).
Here's my krb5.conf; as you can imagine, I can't propagate my databases to
the slaves....yet :) Thanks for any help.
# bob:/etc/kerberosV/krb5.conf
[libdefaults]
default_realm = FOO.EXAMPLE.NET
clockskew = 300
ticket_lifetime = 1560
[appdefaults]
default_lifetime = 7d
encrypt = true
forward = true
forwardable = true
renewable = true
login = {
forwardable = true
krb5_get_tickets = true
}
kinit = {
forwardable = true
}
[realms]
FOO.EXAMPLE.NET = {
kdc = bob.foo.example.net
kdc = alice.foo.example.net
kdc = mallory.foo.example.net
admin_server = bob.foo.example.net
kpasswd_server = bob.foo.example.net
}
[domain_realm]
.foo.example.net = FOO.EXAMPLE.NET
foo.example.net = FOO.EXAMPLE.NET
[kadmin]
default_keys = v5
[logging]
default = SYSLOG:ERR:AUTH
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
ifconfig(8) output -- addresses have been changed, but they are all public,
routable addresses.
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:02:55:b7:78:c5
description: public
media: Ethernet 1000baseT full-duplex
status: active
inet 10.19.21.131 netmask 0xffffff80 broadcast 10.19.21.255
inet6 fe80::202:55ff:feb7:78c5%bge0 prefixlen 64 scopeid 0x1
bge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:02:55:b7:78:c6
description: ipv6_if
media: Ethernet 1000baseT full-duplex
status: active
inet6 2001:x:y:z::131 prefixlen 96
inet6 fe80::202:55ff:feb7:78c6%bge1 prefixlen 64 scopeid 0x2
inet6 2001:x:y:z::53 prefixlen 96
inet6 2001:x:y:z::1 prefixlen 96
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
physical address inet 10.19.21.131 --> 10.19.81.184
inet6 fe80::202:55ff:feb7:78c5%gif0 -> prefixlen 64 scopeid 0x7
inet6 2001:x:y:q::b -> 2001:x:y:q::a prefixlen 128