[36297] in Kerberos
Re: Replicated LDAP as backend
daemon@ATHENA.MIT.EDU (Robert Wehn)
Thu Jul 24 13:18:24 2014
Message-ID: <53D13FD3.5080800@rz.uni-augsburg.de>
Date: Thu, 24 Jul 2014 19:18:11 +0200
From: Robert Wehn <robert.wehn@rz.uni-augsburg.de>
MIME-Version: 1.0
To: kerberos@mit.edu, Paul van der Vlis <paul@vandervlis.nl>
In-Reply-To: <53D0D579.5000709@vandervlis.nl>
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hello Paul,
Am 24.07.2014 11:44, schrieb Paul van der Vlis:
> Hello Benjamin,
>
> op 24-07-14 03:58, Benjamin Kaduk schreef:
>> That should be a fine setup. The only thing that seems worth noting
>> is that the "old" Kerberos server (KDC) is the master KDC, so
>> administrative actions must be done against that site (and will not
>> be possible from the new location if there is no connection between
>> the two locations).
> Thanks for your help!
>
> Is it important to study the docs for a slave-KDC, or is this setup for
> when you don't have a replicated LDAP backend?
>
> I am wondering a bit why this does not work on a client on the new
> leocation:
> -------
> root@client:~# kadmin -p paul/admin -q "ktadd nfs/$(hostname --fqdn)"
> Authenticating as principal paul/admin with password.
> Password for paul/admin@DOMAIN.NL:
> kadmin: Kerberos database constraints violated while changing
> nfs/client.domain.nl's key
> --------
> Maybe kadmin tries to write something to the LDAP?
> Or is it not-related?
> On the old location this works fine.
as Benjamin pionted out, if your LDAP Backend is master/slave, the on
the slave location the Kerberos Server is also a slave, as changes can't
be done there (not replicated back).
So your kadmin server can only be on the "Master Site", no "kadmin" to
the slave server is possible. If your Master Server is not reachable
kadmin (and password changes) cannot be done until the connection is
online again.
regards, Robert.
--
Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de
Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047
86135 Augsburg .................................. Fax. (0821) 598-2028
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
