<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2600.0" name=GENERATOR></HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Hi Monica,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>actually i am not sure, whether the server will
start without the krb5.conf file or not. But as far as i see it, the krb5.conf
file hosts the configuration for the client side. so e.g. which server is used
and so on. Which value do you think take effekt on the server? I see your point
concerning the clock skew, but for the ticket lifetime there is a maximum in the
kdc.conf and a "request value" in the krb5.conf (although it does not seem to
work this way....). About the clock skew do not bother at all, keep your clocks
synchronized using ntp or something similar.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>When you want to change a slave kdc into a master
kdc you have to make changes manually (start kadmind-deamon, create
kadmin-keytabs, start replication...) and you have to take back these changes
afterwards. So anyway, there is a lot of to do. You can write a small skript
doing this for you (maybe you already use kererized ssh for transferring this
automatically), but i do not know about a kerberos procedure for
that.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Maybe you can first set up the broken master server
as a slave server, start replikation and then switch again? This is almost the
same as dumping and loading it....</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Klaas</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>----- Original Message ----- </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=mllau2002@yahoo.com href="mailto:mllau2002@yahoo.com">Monica Lau</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=klaas@northsailor.de
href="mailto:klaas@northsailor.de">klaas hagemann</A> ; <A
title=kerberos@mit.edu href="mailto:kerberos@mit.edu">kerberos@mit.edu</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Monday, July 29, 2002 10:49
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: Few quick questions</DIV>
<DIV><BR></DIV>
<P>Hi Klaas,
<P>Thanks for your help! I'm a bit confused by the krb5.conf file --
doesn't the server also read this configuration file at start up? Also,
I see your point in dumping the slave kdc database and then loading that onto
the master kdc database manually -- but is there some way to automate this
process safely?
<P>Thanks,
<P>Monica
<P>
<P> <B><I>klaas hagemann <KLAAS@NORTHSAILOR.DE></I></B>wrote:
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">
<META content="MSHTML 6.00.2600.0" name=GENERATOR>
<STYLE></STYLE>
<DIV><FONT face=Arial size=2>Hi Monica,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>as far as i understood it, changes in krb5.conf
take affect immediatly. This is a Client side konfiguration file, which is
used by kinit and other "kerberized" applikations.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>You can make a dump of the slave kdc manually
and load it in the master kdc by hand. This is no problem. Even creating a
new master kdc is possible. Maybe you have to create the kadmin-keytabs and
the stash-file again, but that is no problem.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Kerberos uses the system time. so you need to
have an external way to get your system times synchronised, like an
ntp-server.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Klaas</FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=mllau2002@yahoo.com href="mailto:mllau2002@yahoo.com">Monica
Lau</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=kerberos@mit.edu
href="mailto:kerberos@mit.edu">kerberos@mit.edu</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Monday, July 29, 2002 7:12
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Few quick questions</DIV>
<DIV><FONT face=Arial size=2></FONT><FONT face=Arial
size=2></FONT><BR></DIV>
<P>Hi all,
<P>I'm very new to Kerberos, and I have some general questions
below. Any suggestions is greatly appreciated. Thanks for your
time and help!
<P>1. In the krb5.conf file, I can specify the clock skew and ticket
lifetime times. If I want to change these values after the kdc is
already running, do I need to restart the kdc? Ithere some way that
the kdc would read these values dynamically and take note of these
changes?
<P>2. Can slave KDC propagate its database back to the master KDC?
Let's say that the master KDC goes down and the administrator makes
changes to the slave KDC database. Now before we restart
the master KDC, we want to update its database with the changes. Is
it possible for slave KDC to propagate its database back to master? </P>
<P>3. How do I set the KDC time? Is there some kadmin options to do
this?</P>
<P>Thanks,</P>
<P>Monica</P>
<P><BR>
<HR SIZE=1>
<B>Do You Yahoo!?</B><BR><A href="http://health.yahoo.com/">Yahoo!
Health</A> - Feel better, live better</BLOCKQUOTE></BLOCKQUOTE>
<P><BR>
<HR SIZE=1>
<B>Do You Yahoo!?</B><BR><A href="http://health.yahoo.com/">Yahoo! Health</A>
- Feel better, live better</BLOCKQUOTE></BODY></HTML>