At this point, you will want to setup a
backup or “slave” KDC.
Host Principal
First, add a host principal for each
slave KDC. If you followed the instructions above for the primary KDC, then you
will already have a host principal for the primary.
[root@coma ~]# kadmin
Authenticating as principal root/admin@ EXAMPLE.COM with password.
Password for root/admin@ EXAMPLE.COM:
kadmin: addprinc -randkey host/second.example.com
NOTICE: no policy specified for host/second.example.com@ EXAMPLE.COM; assigning "default"
Principal "host/second.example.com@ EXAMPLE.COM " created.
[root@coma ~]# kadmin
Authenticating as principal root/admin@ EXAMPLE.COM with password.
Password for root/admin@ EXAMPLE.COM:
kadmin: addprinc -randkey host/second.example.com
NOTICE: no policy specified for host/second.example.com@ EXAMPLE.COM; assigning "default"
Principal "host/second.example.com@ EXAMPLE.COM " created.
Copy Configuration Files
Copy the following files from the
primary KDC to each of the slave KDCs.
- /etc/krb5.conf
- /var/kerberos/krb5kdc/kdc.conf
- /var/kerberos/krb5kdc/kadm5.acl
- /etc/gssapi_mech.conf
Create kpropd.acl
Create an ACL file with all of the KDCs
listed (both primary and backups). This file is
/var/kerberos/krb5kdc/kpropd.acl and should look something like this.
host/coma.example.com@ EXAMPLE.COM
host/coma.example.com@ EXAMPLE.COM
host/ second.example.com@ EXAMPLE.COM
Don’t put this file on the primary KDC or kadmin will not start.
Don’t put this file on the primary KDC or kadmin will not start.
Add Host Principal to Slave Key
Table
On each slave KDC, add the host
principal to the local key table.
[root@second ~]# kadmin
Authenticating as principal root/admin@ EXAMPLE.COM with password.
Password for root/admin@ EXAMPLE.COM:
kadmin: ktadd host/ second.example.com
[root@second ~]# kadmin
Authenticating as principal root/admin@ EXAMPLE.COM with password.
Password for root/admin@ EXAMPLE.COM:
kadmin: ktadd host/ second.example.com
Start the Kerberos Propagation
Daemon
On RHEL4 it is not necessary to create
the database on the slave prior to starting the daemon. It was reported (thanks
Louis) that on Fedora and perhaps Centos it is required. If the kprop
daemon doesn’t start, you may need to create the database with the “kdb5_util
create -s” command before starting it.
On each slave KDC, use the following command to enable the receipt of the kerberos database.
[root@second ~]# chkconfig kprop on
[root@second ~]# service kprop start
Starting Kerberos 5 Propagation Server: [ OK ]
On each slave KDC, use the following command to enable the receipt of the kerberos database.
[root@second ~]# chkconfig kprop on
[root@second ~]# service kprop start
Starting Kerberos 5 Propagation Server: [ OK ]
Propagate the Database
The next step is to propagate the
database (manually) to each slave KDC. This is a two step process. First, dump
the database to a file. Next, propogate the dumped file to each slave KDC.
[root@coma ~]# kdb5_util dump
/var/kerberos/krb5kdc/slave_datatrans
[root@coma ~]# kprop -f /var/kerberos/krb5kdc/slave_datatrans second.physik.unizh.ch
Database propagation to second.physik.unizh.ch: SUCCEEDED
[root@coma ~]# kprop -f /var/kerberos/krb5kdc/slave_datatrans second.physik.unizh.ch
Database propagation to second.physik.unizh.ch: SUCCEEDED
Create a Stash File
On each KDC you need to create a stash
file. You will need the (really long and random) master key that you entered
when you initially created the kerberos database.
[root@second ~]# kdb5_util stash
kdb5_util: Cannot find/read stored master key while reading master key
kdb5_util: Warning: proceeding without master key
Enter KDC database master key:
[root@second ~]# kdb5_util stash
kdb5_util: Cannot find/read stored master key while reading master key
kdb5_util: Warning: proceeding without master key
Enter KDC database master key:
Start the Kerberos 5 KDC on each
Slave
Now that the database is there, and you
have created the stash file, you are ready to start the KDC Daemon.
[root@second ~]# chkconfig krb5kdc on
[root@second ~]# service krb5kdc start
Starting Kerberos 5 KDC: [ OK ]
Do not start the Administration Daemon (kadmin) on the slaves. The Administration Daemon is used to add/remove/modify principals and to change passwords. When the database is replicated to the slaves, any changes that were made on the slaves would be lost. This also means that if the primary KDC goes down, it is not possible to make changes, or for users to modify their password.
If the primary KDC will be down for an extended period, you can make any slave the primary, but you will have to replicate the database back to the old primary when it becomes available. This requires manual intervention.
[root@second ~]# chkconfig krb5kdc on
[root@second ~]# service krb5kdc start
Starting Kerberos 5 KDC: [ OK ]
Do not start the Administration Daemon (kadmin) on the slaves. The Administration Daemon is used to add/remove/modify principals and to change passwords. When the database is replicated to the slaves, any changes that were made on the slaves would be lost. This also means that if the primary KDC goes down, it is not possible to make changes, or for users to modify their password.
If the primary KDC will be down for an extended period, you can make any slave the primary, but you will have to replicate the database back to the old primary when it becomes available. This requires manual intervention.