[1552] in Kerberos_V5_Development
Re: kdc.conf [realms] section
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Tue Aug 13 12:57:46 1996
Date: Tue, 13 Aug 1996 12:57:41 -0400
From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: hartmans@MIT.EDU
Cc: raeburn@cygnus.com, krbdev@MIT.EDU
In-Reply-To: <tslg25rkz1j.fsf@tertius.mit.edu> (message from Sam Hartman on 13
Aug 1996 12:51:36 -0400)
Barry> Perhaps I'm missing something obvious, but I don't see why
Barry> you would have to take kadmind offline for this operation.
Barry> "dump, merge, reload" is in fact the solution I would
Barry> recommend for this arrangement.
If I modify the data with kadmin between the dump and the
reload step, I lose the changes.
Right, I hadn't thought of that.
It seems like it ought to be possible to use the load -update option
to merge in just the entries from the realm the dual server is a slave
for, without affecting the entries from the realm the dual server is a
master for. This would the not require a separate dump/merge step at
all.
One problem does occur to me. KADM5 policy names do not include
realms. So, if the two realms had overlaping names for different
policies, the values on the dual server would get overwritten. This
could be solved by grepping out all policy lines from the dump file
before loading it on the dual server. However, if the KDC ever starts
using policies to make ticket-issuing decisions, this will be a problem.
Barry
