Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000) Previous Document: 2.23. I already have a standard Unix password database for my user population. Can I convert this to a Kerberos password database? Next Document: 2.25 What is the kadm5.acl file? See reader questions & answers on this topic! - Help others by sharing your knowledge From: Christopher Misra <crispy@nic.umass.edu> I run a single KDC that maintains three databses all kept in separate subdirs. I then run three kadmin processes, and just manually configure the port to be in sync. Here is a list of the processes as running (from ps): .../sbin/krb5kdc -r <realm1> -r <realm2> -r <realm3> .../sbin/kadmind -r <realm1> .../sbin/kadmind -r <realm2> -port 748 .../sbin/kadmind -r <realm3> -port 747 Although maybe not exactly the way it should be done, it has worked for me. Presently I only keep a slave KDC for one of the three databases, but it should be reasonably trivial to run an additional slave of one of the other db's. Included below is a cleaned up version of my kdc.conf and kpropd.acl just to be complete. Also included below is the command line for running kprop, as I remember it taking me the better part of a day to get it all working. Hope this helps. All this is, good or bad, provided without any guarantee, etc. --- kdc.conf: [kdcdefaults] [realms] <realm1> = { profile = /etc/krb5.conf database_name = .../var/krb5kdc/<realm1>/principal admin_database_name = .../var/krb5kdc/<realm1>/principal.kadm5 admin_database_lockfile = .../var/krb5kdc/<realm1>/principal.kadm5.lock admin_keytab = .../var/krb5kdc/<realm1>/kadm5.keytab acl_file = .../var/krb5kdc/<realm1>/kadm5.acl dict_file = .../var/krb5kdc/kadm5.dict key_stash_file = .../var/krb5kdc/<realm1>/.k5stash kadmind_port = 748 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = <enc-type> } <realm2> = { profile = /etc/krb5.conf database_name = .../var/krb5kdc/<realm2>/principal admin_database_name = .../var/krb5kdc/<realm2>/principal.kadm5 admin_database_lockfile = .../var/krb5kdc/<realm2>/principal.kadm5.lock admin_keytab = .../var/krb5kdc/<realm2>/kadm5.keytab acl_file = .../var/krb5kdc/<realm2>/kadm5.acl dict_file = .../var/krb5kdc/kadm5.dict key_stash_file = .../var/krb5kdc/<realm2>/.k5stash kadmind_port = 749 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = <enc-type> } <realm3> = { profile = /etc/krb5.conf database_name = .../var/krb5kdc/<realm3>/principal admin_database_name = .../var/krb5kdc/<realm3>/principal.kadm5 admin_database_lockfile = .../var/krb5kdc/<realm3>/principal.kadm5.lock admin_keytab = .../var/krb5kdc/<realm3>/kadm5.keytab acl_file = ...var/krb5kdc/<realm3>/kadm5.acl dict_file = .../var/krb5kdc/kadm5.dict key_stash_file = .../var/krb5kdc/<realm3>/.k5stash kadmind_port = 747 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = <enc-type> } --- kpropd.acl host/<master_kdc.domain>@<realm1> host/<slave_kdc.domain>@<realm1> --- kprop command line arguments .../sbin/kprop -r <realm1> -f <filename> -P <port> <slave_kdc.domain> This requires kpropd be running on the appropriate slave_kdc (I do it from inetd, this could be argued to be bad, but oh well...) with a -R <realm1> argument User Contributions:Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000) Previous Document: 2.23. I already have a standard Unix password database for my user population. Can I convert this to a Kerberos password database? Next Document: 2.25 What is the kadm5.acl file? Single Page [ Usenet FAQs | Web FAQs | Documents | RFC Index ] Send corrections/additions to the FAQ Maintainer: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Last Update March 27 2014 @ 02:11 PM
|
Comment about this article, ask questions, or add new information about this topic: