Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z
faqs.org - Internet FAQ Archives

Kerberos FAQ, v2.0 (last modified 8/18/2000)
Section - 2.7. How do I set up slave servers?

( Single Page )
[ Usenet FAQs | Web FAQs | Documents | RFC Index | Neighborhoods ]


Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 2.6. How do I change the master key?
Next Document: 2.8. What do I need to do to make V4 clients work with my V5 KDC?
See reader questions & answers on this topic! - Help others by sharing your knowledge
Setting up a slave KDC is fairly simple. Here are the steps you need to
perform:

  1. Create host principals for your master and slave KDCs. These will look
     like host/kdc1.foo.bar@FOO.BAR, or something similar.
  2. In the Kerberos database directory (/usr/krb5/lib/krb5kdc using the
     default configuration) on both your masters and slaves, create a file
     called kpropd.acl and place in it all of the host principals for your
     KDCs.

     For example, if you had three KDCs, kdc1.foo.bar, kdc2.foo.bar, and
     kdc3.foo.bar, this file would contain:

     host/kdc1.foo.bar@FOO.BAR
     host/kdc2.foo.bar@FOO.BAR
     host/kdc3.foo.bar@FOO.BAR

  3. On your slave KDCs, add an entry for kpropd in inetd.conf. A sample
     entry would look like:

     krb5_prop  stream  tcp  nowait root /usr/krb5/sbin/kpropd kpropd

  4. On the master KDC, dump the database into a file using kdb5_util.
     Depending on where you told Kerberos to live, a sample command would
     look like:

     /usr/krb5/sbin/kdb5_util dump /usr/krb5/lib/krb5kdc/slave_datatrans

  5. Run kprop on the master to propagate the database to each slave:

     /usr/krb5/sbin/kprop -f /usr/krb5/lib/krb5kdc/slave_datatrans kdc2.foo.bar
     /usr/krb5/sbin/kprop -f /usr/krb5/lib/krb5kdc/slave_datatrans kdc3.foo.bar

Once you have this working, you probably want to write a script to propagate
the database at regular intervals. Here is the one that I use:

#!/bin/sh
#

kdclist="kdc1.foo.bar kdc2.foo.bar"

/usr/krb5/sbin/kdb5_util dump /var/krb5/krb5kdc/slave_datatrans

for kdc in $kdclist
do
        /usr/krb5/sbin/kprop $kdc > /dev/null
done

The most common error people get when setting up their KDC is the extremely
confusing "Decrypt integrity check failed". This means that the host keys
stored in the KDC don't match the keys stored in the corresponding keytabs
(I bet you recreated the database a couple of times while you were playing
around with the KDC, didn't you?). Installing new host keys on the master
and the slaves will fix this problem.

User Contributions:

Comment about this article, ask questions, or add new information about this topic:

CAPTCHA




Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 2.6. How do I change the master key?
Next Document: 2.8. What do I need to do to make V4 clients work with my V5 KDC?

Single Page

[ Usenet FAQs | Web FAQs | Documents | RFC Index ]

Send corrections/additions to the FAQ Maintainer:
Ken Hornstein <kenh@cmf.nrl.navy.mil>





Last Update March 27 2014 @ 02:11 PM