[36860] in Kerberos
Kerberos master-slave setup : Database propagation,
daemon@ATHENA.MIT.EDU (HARMAN)
Sat Mar 21 22:28:33 2015
MIME-Version: 1.0
Date: Sun, 22 Mar 2015 07:58:16 +0530
Message-ID: <CADJErsT0Hg5g1LB8+p531tONCU+sXwdCnft5PZMsJ0WZpROMRg@mail.gmail.com>
From: HARMAN <punjabibecks@gmail.com>
To: Kerberos Mailing List <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I am trying to setup Kerberos on Redhat with slaves and database
propagation (not incremental). I am going through MIT's documentation for
KDC installation and configuration. Currently, I have three doubts/issues:
1. Do we need kpropd running on slave KDC, even if we do not have
incremental propagation ?
I started xinetd service, and tried propagating database (without starting
kpropd, as I have not configured incremental propagation), and it gave me
an error:
kprop: Connection refused while connecting to server
However, when I started kpropd in the same setup without any configuration
change, I was able to successfully propagate the database.
As per the document, it says:
[Re]start inetd daemon. Alternatively, start kpropd as a stand-alone
daemon. This is required when incremental propagation is enabled.
I went through MIT's Troubleshooting page as well, and it said the same,
i.e. inetd can run kprop.
My inetd.conf:
krb5_prop stream tcp nowait root /usr/sbin/kpropd kpropd
2. Do we need to add Kerberos Administration Server (admin_server) for
slave KDC in krb5.conf? OR In other words, can we have more than one
admin_server properties configured in krb5.conf?
Since we are configuring a master-slave setup and can switch to a slave KDC
creating it a new master at any point of time. We would need to start a
Kerberos Administration Server (kadmind) on the new master, as well. Do we
need to have hosts for both the admin servers listed in the krb5.conf file?
I tried adding both the hosts, but it turns out that this property only
picks the last configured one.
e.g. if a krb5.conf looks like:
[realms]
KRB.MY.DOMAIN = {
kdc = old-master-host.my.domain
kdc = new-master-host.my.domain
admin_server = old-master-host.my.domain
admin_server = new-master-host.my.domain
}
[domain_realm]
.my.domain = KRB.MY.DOMAIN
In such a case, admin server would be looked only at
new-master-host.my.domain, even if it is running on
old-master-host.my.domain.
3. Can we start Kerberos Administration Server on a slave KDC machine, as
specified in MIT documentation?
I tried starting Kerberos Administration Server (kadmind) on my new master
and I got an error:
Error. This appears to be a slave server, found kpropd.acl
Is it not advisable to start the Administration server on the slave machine
or do we have to [re]move the kpropd.acl file before we can start
Administration server?
I would really appreciate any pointers or help.
Thanks in advance !
Regards,
Harman
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
