Bug 514741

Summary: Stash file architecture dependent, when creating slave KDC according to the bug #442879
Product: Red Hat Enterprise Linux 5 Reporter: Zbysek MRAZ <zmraz>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: low    
Version: 5.4CC: borgan, dpal, ebenes, jplans, rlerch
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: krb5-1.6.1-42.el5 Doc Type: Bug Fix
Doc Text:
The format of a stash file, while not architecture-specific, is endian-specific. Consequently, a stash file is not directly portable between big-endian and little-endian systems. When setting up a secondary KDC where the endianness differs from that of the master KDC, the stash file should be recreated by running 'kdb5_util create -s' on the secondary and supplying the original master password.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-13 23:33:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 442879, 513501    
Attachments:
Description Flags
candidate patch none

Description Zbysek MRAZ 2009-07-30 15:22:24 UTC 
Description of problem:
Bug 442879 brings different way, how to create the slave database.
The rest is repast from my comment in original bug
( https://bugzilla.redhat.com/show_bug.cgi?id=442879#c16 )

"Found problems in architecture dependent stash file. When copying from one arch
to another. This script provided by dev can workaround it by changing first
bits of the file. Tested on several architectures."

Version-Release number of selected component (if applicable):
krb5-1.6.1-36.el5

How reproducible:
Always on different archs

Steps to Reproduce:
1. Set up a KDC database and host keytab for the master if it
doesn't already have one.
2. Create a host keytab for the slave.  You can do this on the
master (primary) KDC
3.'scp' /tmp/krb5.keytab.slave to $slavefqdn:/etc/krb5.keytab, and
/var/kerberos/krb5kdc/.k5* to $slavefqdn:/var/kerberos/krb5kdc.
4. On the slave (secondary) KDC, set up the ACLs so that a remote
connection to the kprop service running on the slave made by the master
KDC's 'host' principal will be allowed
5. Start the kpropd service on the slave and create dump and replicate the db from the master to slave
6. Start kerveros KDC service
  
Actual results:
KDC will not start

Expected results:
KDC will start

Additional info:
As workaround can be used script included in https://bugzilla.redhat.com/show_bug.cgi?id=442879 - which will recode the stash file.
Comment 2 Nalin Dahyabhai 2009-07-31 20:04:28 UTC 
Created attachment 355855 [details]
candidate patch
Comment 5 Ryan Lerch 2009-08-19 03:37:48 UTC 
Release note added. If any revisions are required, please set the 
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

New Contents:
The format of the stash file, while not architecture-specific, is
endian-specific, in that a stash file is not directly portable between
big-endian and little-endian systems.  When setting up a secondary KDC whose
endianness differs from that of the master KDC, the stash file should be
recreated by running 'kdb5_util create -s' on the secondary and supplying the
original master password.  In future releases, the format of this file will be
that of a keytab file, and this will not be an issue.
Comment 7 Ryan Lerch 2009-08-19 03:53:04 UTC 
Release note updated. If any revisions are required, please set the 
"requires_release_notes"  flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

Diffed Contents:
@@ -1,7 +1,6 @@
-The format of the stash file, while not architecture-specific, is
-endian-specific, in that a stash file is not directly portable between
-big-endian and little-endian systems.  When setting up a secondary KDC whose
+The format of a stash file, while not architecture-specific, is
+endian-specific. Consequently, a stash file is not directly portable between
+big-endian and little-endian systems.  When setting up a secondary KDC where the
 endianness differs from that of the master KDC, the stash file should be
 recreated by running 'kdb5_util create -s' on the secondary and supplying the
-original master password.  In future releases, the format of this file will be
+original master password.-that of a keytab file, and this will not be an issue.
Comment 9 RHEL Program Management 2009-11-06 19:01:23 UTC 
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 14 errata-xmlrpc 2011-01-13 23:33:10 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0098.html