On 5/19/19 10:27 AM, Greg Hudson wrote: > Yes, it's local on the master KDC. kprop begins by getting Kerberos > credentials for the host principal of the replica KDC, and this step is > failing. You can simulate this step with "kinit -k host/replica.name" > to try to isolate the problem.
Apologies; that wasn't correct. I should have said: kprop begins by getting Kerberos credentials for host/master.kdc.name@REALM to host/replica.kdc.name@REALM. You can simulate this step with: kinit -k -S host/replica.kdc.name host/master.kdc.name Each KDC should only have its own host principal in its keytab file. If you extracted the host principal for host/master.kdc.name on the replica KDC (therefore incrementing the key version of host/master.kdc.name and invalidating the master KDC's keytab file), that might account for the error. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
