[37542] in Kerberos
master and n-slaves,
daemon@ATHENA.MIT.EDU (Diogenes S. Jesus)
Tue Jun 28 09:59:32 2016
MIME-Version: 1.0
From: "Diogenes S. Jesus" <splash@gmail.com>
Date: Tue, 28 Jun 2016 15:58:59 +0200
Message-ID: <CAD8MJvBMuB6k5JJVCbeZGEs6ugiPxb6j=zXfe1OBYPhbhVPYuA@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi everyone.
I'm currently struggling to make krb5kdc start without a stash file - and
no prompt.
As I understood[1] the stash file stores the encrypted master key. This
file is used to automate the start up of KDC to decrypt the local (as in
on-disk) krb database. However the definition is not really that [2] -
stash is used to authenticate the KDC to itself.
However, I'm currently using LDAP backed and I have no local (on disk)
database on my master.
I'm not using (and don't plan to use) Kerberos built-in replication - I'm
relying on LDAP replicas providing data for slave KDCs, thus taking
advantage of LDAP built-in replication.
That said, what's the role of the stash file in this scenario? To decrypt
krbPrincipalKey LDAP attribute?
If then, all KDCs, regardless of being slave or not, must have the same
stash file - then comes the question: what's the best practice when
spawning new kdcs to retrieve the one shared stash? I think I may have the
answer already - use wallet file object, for example, but any
idea/experience in the area would help.
Thanks in advance.
[1]
https://books.google.com/books?id=dGMd-uay-lkC&printsec=frontcover&redir_esc=y#v=onepage&q&f=false
- page 57
[2] http://web.mit.edu/Kerberos/krb5-1.13/doc/basic/stash_file_def.html
--
--------
Dio
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
