[36862] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Kerberos master-slave setup : Database propagation, and KDC &

daemon@ATHENA.MIT.EDU (HARMAN)
Sat Mar 21 23:13:38 2015

MIME-Version: 1.0
In-Reply-To: <550E30F4.8010609@mit.edu>
Date: Sun, 22 Mar 2015 08:43:24 +0530
Message-ID: <CADJErsSy3G1v7UYAj7vgnG6TzLmUEm9SO=f=6qf75Oerj5pstQ@mail.gmail.com>
From: HARMAN <punjabibecks@gmail.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: Kerberos Mailing List <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Hi Greg

Thanks a lot for such a great explanation.

I really appreciate all the effort.

Just a little more info on the 1st point, I cannot see any incoming
connections in messages unless I do not start a kprop.
Mar 21 14:40:55 my-slave-host xinetd[22894]: xinetd Version 2.3.14 started
with libwrap loadavg labeled-networking options compiled in.
Mar 21 14:40:55 my-slave-host xinetd[22894]: Started working: 0 available
services
Mar 22 01:10:42 my-slave-host kpropd[24213]: Connection from my-master-host

Anything you could think of that I might have configured wrong ?

Thanks,
Harman


On Sun, Mar 22, 2015 at 8:33 AM, Greg Hudson <ghudson@mit.edu> wrote:

> On 03/21/2015 10:28 PM, HARMAN wrote:
> > I started xinetd service, and tried propagating database (without
> starting
> > kpropd, as I have not configured incremental propagation), and it gave me
> > an error:
> > kprop: Connection refused while connecting to server
>
> I couldn't figure out what's wrong here.  kpropd ought to be able to run
> out of inetd or a similar service if you aren't doing incremental
> propagation.
>
> > 2. Do we need to add Kerberos Administration Server (admin_server) for
> > slave KDC in krb5.conf? OR In other words, can we have more than one
> > admin_server properties configured in krb5.conf?
>
> Not presently.  The kadmin client code currently only handles one server
> hostname.
>
> > 3. Can we start Kerberos Administration Server on a slave KDC machine, as
> > specified in MIT documentation?
>
> Yes, but it might not be a good idea--any changes made through a slave's
> kadmind service will be overwritten by the next propagation.
>
> > I tried starting Kerberos Administration Server (kadmind) on my new
> master
> > and I got an error:
> > Error. This appears to be a slave server, found kpropd.acl
>
> That error is coming from Red Hat's system scripts, not from kadmind
> itself.
>



-- 
HARMAN
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post