[36296] in Kerberos
Re: Replicated LDAP as backend
daemon@ATHENA.MIT.EDU (Paul van der Vlis)
Thu Jul 24 12:53:01 2014
Message-ID: <53D0D579.5000709@vandervlis.nl>
Date: Thu, 24 Jul 2014 11:44:25 +0200
From: Paul van der Vlis <paul@vandervlis.nl>
MIME-Version: 1.0
To: kerberos@mit.edu, Benjamin Kaduk <kaduk@mit.edu>
In-Reply-To: <alpine.GSO.1.10.1407232157400.21571@multics.mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello Benjamin,
op 24-07-14 03:58, Benjamin Kaduk schreef:
> On Wed, 23 Jul 2014, Paul van der Vlis wrote:
>
>> Hello,
>>
>> I am the administrator of a Kerberos system. The backend of Kerberos is
>> LDAP. I use it for NFS home-directories and shares. Now there is a
>> second location of the organisation, they would like to have the same
>> system there.
>>
>> What I did is a replication of de LDAP to the new location, so the LDAP
>> is read-only. And I've installed Kerberos with that LDAP as the backend.
>> It seems to work. I create accounts on the old location and they are
>> replicated to the new location. And I can use Kerberos on the new location.
>>
>> My question is: is this a good setup?
>>
>> A goal is, that we want to be able to work even when there is no
>> internet connection between both locations.
>
> That should be a fine setup. The only thing that seems worth noting is
> that the "old" Kerberos server (KDC) is the master KDC, so administrative
> actions must be done against that site (and will not be possible from the
> new location if there is no connection between the two locations).
Thanks for your help!
Is it important to study the docs for a slave-KDC, or is this setup for
when you don't have a replicated LDAP backend?
I am wondering a bit why this does not work on a client on the new
leocation:
-------
root@client:~# kadmin -p paul/admin -q "ktadd nfs/$(hostname --fqdn)"
Authenticating as principal paul/admin with password.
Password for paul/admin@DOMAIN.NL:
kadmin: Kerberos database constraints violated while changing
nfs/client.domain.nl's key
--------
Maybe kadmin tries to write something to the LDAP?
Or is it not-related?
On the old location this works fine.
With regards,
Paul van der Vlis.
--
Paul van der Vlis Linux systeembeheer, Groningen
http://www.vandervlis.nl
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
