[36299] in Kerberos
Re: Replicated LDAP as backend
daemon@ATHENA.MIT.EDU (tomas.kuthan)
Fri Jul 25 00:59:46 2014
Date: Fri, 25 Jul 2014 06:59:15 +0200
Message-ID: <gyhk99pcv1a406mfx1isj6tm.1406264355869@email.android.com>
From: "tomas.kuthan" <tomas.kuthan@oracle.com>
To: Paul van der Vlis <paul@vandervlis.nl>, kerberos@mit.edu
MIME-Version: 1.0
Reply-To: "tomas.kuthan" <tomas.kuthan@oracle.com>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
ktadd generates a new random key and stores this new key in the keytab, so this too has to be done on the master.
Tomas
-------- Original message --------
From: Paul van der Vlis <paul@vandervlis.nl>
Date: 25/07/2014 00:45 (GMT+01:00)
To: Robert Wehn <robert.wehn@rz.uni-augsburg.de>,kerberos@mit.edu
Subject: Re: Replicated LDAP as backend
op 24-07-14 19:16, Robert Wehn schreef:
>
> Am 24.07.2014 11:44, schrieb Paul van der Vlis:
>> I am wondering a bit why this does not work on a client on the new
>> leocation:
>> -------
>> root@client:~# kadmin -p paul/admin -q "ktadd nfs/$(hostname --fqdn)"
>> Authenticating as principal paul/admin with password.
>> Password for paul/admin@DOMAIN.NL:
>> kadmin: Kerberos database constraints violated while changing
>> nfs/client.domain.nl's key
>> --------
>> Maybe kadmin tries to write something to the LDAP?
>> Or is it not-related?
>> On the old location this works fine.
> as Benjamin pionted out, if your LDAP Backend is master/slave, the on
> the slave location the Kerberos Server is also a slave, as changes can't
> be done there (not replicated back).
>
> So your kadmin server can only be on the "Master Site", no "kadmin" to
> the slave server is possible. If your Master Server is not reachable
> kadmin (and password changes) cannot be done until the connection is
> online again.
The command I give is to download a key, not to change anything.
But maybe it tries to write something too, no idea.
Does it make sence to run krb5-admin-server at the slave-kdc server on
the new location or is it better to stop this service?
I think it's a good idea to change the "admin_server" setting in
/etc/krb5.conf on the new location to the server at the old location.
Correct?
With regards,
Paul van der Vlis.
--
Paul van der Vlis Linux systeembeheer, Groningen
http://www.vandervlis.nl
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
