Answering only the unimportant part for lack of insight on the other one...
On Mon, Dec 09, 2019 at 10:04:17AM -0800, Stephen Carville (Kerberos List) wrote: > Recently I migrated the kerberos master and one slave to another > location using tool called "Zerto". Perhaps coincidentally, replication > broke with the above error message. I checked that DNS A and PTR records > for all the servers are correct. I can get a ticket using kinit (kinit > -k host/<hostname>). I finally recreated the keytab file > (/etc/krb5.keytab) and propagated it to the other three servers. Still > no replication. > > Any suggestions? > > BTW, while trying to fix it, I noticed that every time I use ktadd to > add a key to krb5.keytab the KVNO increments. Is that normal? Yes, that is normal. Otherwise any administrator with "extract keytab" permissions could ~silently fetch the currently in-use keys for a service and start decrypting or forging traffic; requiring a kvno increment (and new random key) makes the operation more noticeable and prevents the exfiltration of the live, in-use, key material. -Ben ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
