svn rev #25434: trunk/doc/rst_source/ krb_admins/install_kdc/ relay/
tsitkova@MIT.EDU
tsitkova at MIT.EDU
Fri Nov 4 13:13:40 EDT 2011
http://src.mit.edu/fisheye/changelog/krb5/?cs=25434
Commit By: tsitkova
Log Message:
Updated the documentation for the propagation.
Changed Files:
U trunk/doc/rst_source/krb_admins/install_kdc/admins_to_acl.rst
U trunk/doc/rst_source/krb_admins/install_kdc/admins_to_db.rst
U trunk/doc/rst_source/krb_admins/install_kdc/kadmind_kt.rst
U trunk/doc/rst_source/krb_admins/install_kdc/kdc_prop_slave.rst
U trunk/doc/rst_source/krb_admins/install_kdc/krb_daemon.rst
U trunk/doc/rst_source/krb_admins/install_kdc/mod_conf.rst
U trunk/doc/rst_source/krb_admins/install_kdc/slave_install.rst
U trunk/doc/rst_source/relay/build_this.rst
U trunk/doc/rst_source/relay/index.rst
Modified: trunk/doc/rst_source/krb_admins/install_kdc/admins_to_acl.rst
===================================================================
--- trunk/doc/rst_source/krb_admins/install_kdc/admins_to_acl.rst 2011-11-04 05:53:23 UTC (rev 25433)
+++ trunk/doc/rst_source/krb_admins/install_kdc/admins_to_acl.rst 2011-11-04 17:13:39 UTC (rev 25434)
@@ -78,6 +78,8 @@
Finally, any principal with an *admin* instance in *EXAMPLE.COM* has *all* permissions,
but any principal that they create or modify will not be able to get *postdateable* tickets or tickets with a life of longer than 9 hours.
+.. warning:: If the *kadmind*'s ACL file is modified, the *kadmind* daemon needs to be restarted for changes to take effect.
+
------------
Feedback:
Modified: trunk/doc/rst_source/krb_admins/install_kdc/admins_to_db.rst
===================================================================
--- trunk/doc/rst_source/krb_admins/install_kdc/admins_to_db.rst 2011-11-04 05:53:23 UTC (rev 25433)
+++ trunk/doc/rst_source/krb_admins/install_kdc/admins_to_db.rst 2011-11-04 17:13:39 UTC (rev 25434)
@@ -1,3 +1,5 @@
+.. _addadmin_kdb:
+
Add administrators to the Kerberos database
===============================================
@@ -19,7 +21,7 @@
kadmin.local: addprinc admin/admin at ATHENA.MIT.EDU
- NOTICE: no policy specified for "admin/admin at ATHENA.MIT.EDU";
+ WARNING: no policy specified for "admin/admin at ATHENA.MIT.EDU";
assigning "default".
Enter password for principal admin/admin at ATHENA.MIT.EDU: <= Enter a password.
Re-enter password for principal admin/admin at ATHENA.MIT.EDU: <= Type it again.
Modified: trunk/doc/rst_source/krb_admins/install_kdc/kadmind_kt.rst
===================================================================
--- trunk/doc/rst_source/krb_admins/install_kdc/kadmind_kt.rst 2011-11-04 05:53:23 UTC (rev 25433)
+++ trunk/doc/rst_source/krb_admins/install_kdc/kadmind_kt.rst 2011-11-04 17:13:39 UTC (rev 25434)
@@ -11,7 +11,7 @@
(These principals are placed in the Kerberos database automatically when you create it.)
To create the *kadmin* keytab, run *kadmin.local* and use the :ref:`ktadd` command, as in the following example::
- shell% /usr/local/sbin/admin.local
+ shell% /usr/local/sbin/kadmin.local
kadmin.local: ktadd -k /usr/local/var/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw
Entry for principal kadmin/admin with kvno 5, encryption
Modified: trunk/doc/rst_source/krb_admins/install_kdc/kdc_prop_slave.rst
===================================================================
--- trunk/doc/rst_source/krb_admins/install_kdc/kdc_prop_slave.rst 2011-11-04 05:53:23 UTC (rev 25433)
+++ trunk/doc/rst_source/krb_admins/install_kdc/kdc_prop_slave.rst 2011-11-04 17:13:39 UTC (rev 25434)
@@ -13,10 +13,18 @@
Database propagation to kerberos-1.mit.edu: SUCCEEDED
+Just in case you need an additional confirmation of the successful propagation,
+do the following on the slave:
+ - make sure that only this slave's *kdc* is listed in the *krb5.conf* file, then
+ - start *krb5kdc* on the slave server and
+ - run "kinit admin/admin\@ATHENA.MIT.EDU" which should succeed once the correct password
+ (i.e. password that was entered on the master server for this principal) is provided.
+ - now *klist* should display the message similar to "Default principal: admin/admin\@ATHENA.MIT.EDU"
+
You will need a script to dump and propagate the database. The following is an example of a bourne shell script that will do this.
-.. note:: Remember that you need to replace */usr/local* with the name of the directory in which you installed Kerberos V5.
+.. note:: Remember that you need to replace */usr/local/var* with the name of the directory in which you installed Kerberos V5.
::
@@ -53,61 +61,25 @@
Propagation failed?
------------------------
-
-If propagation failed with a loud:
-
.. _prop_failed_start:
-.. error:: kprop: Connection refused in call to connect while opening connection
+.. error:: kprop: No route to host in call to connect while opening connection
-it means that *kprop* did not manage to contact *kpropd* on the remote slave KDC.
+ kprop: Connection refused in call to connect while opening connection
-This will occur if you set restrictive access rules with a firewall, or if *kpropd* did not start upon connection.
+ kprop: Server rejected authentication (during sendauth exchange) while authenticating to server
-The propagation is done through a tcp stream on port 754. Usually, *kpropd* is not a daemon running on its own:
-it is started by *inetd* (or its equivalent *xinetd*). However, many systems do not register *kpropd* as a service in their *inetd* database.
+Make sure that
-You can launch *kpropd* by two different means: either by starting it during boot up with the **-S** argument (see :ref:`kpropd(8)` for details),
-or register *kprop* as a potential services to *inetd*.
+#. the time is syncronized between the master-slaves participants;
+#. master stash and keytab files (e.g. *.k5.ATHENA.MIT.EDU* and *host/kerberos-1.mit.edu\@ATHENA.MIT.EDU*) are copied from the master to the expected location on the slaves;
+#. Kerberos database was created on the slaves prior the propagation from the master.
+#. if *kpropd* is invoked from *inetd* (or its equivalent *xinetd*),
+ the *inetd* daemon was restarted after the configuration files
+ */etc/inetd.conf* and */etc/services* were updated;
+#. *kpropd* is running on the slave server;
+#. if the locations of the configuration/keytab files differ from the default ones, provide the proper environment variables and/or options to the programs;
-To register *kpropd*, it depends on whether your are using inetd or its more sophisticated equivalent *xinetd*.
-First, edit */etc/services*, and look for *kprop* service; the line should look like this::
-
- kprop 754/tcp
-
-If you did not find it, please add it to the bottom of the file. Save and close.
-
-
-Now we should edit */etc/inetd.conf* (see below for *xinetd*), and add the following line to setup the database propagation daemon ::
-
- kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
-
-Please note that the path to executable may vary from one system to another. Save and close *inetd.conf*, and restart *inetd*::
-
- \# /etc/rc.d/inetd restart
-
-
-All config file for *xinetd* resides in the */etc/xinetd.d* directory. We must add the *kprop* config file, so that *xinetd* knows its existence.
-Create and edit the */etc/xinetd.d/kpropd* file ::
-
- service kprop
- {
- socket_type = stream
- wait = no
- user = root
- server = /usr/local/sbin/kpropd
- only_from = 0.0.0.0 # Allow anybody to connect to it. Restrictions may apply here.
- log_on_success = PID HOST EXIT DURATION
- log_on_failure = PID HOST
- }
-
-Save and close the file, and restart *xinetd*::
-
- \# /etc/init.d/xinetd restart
-
-You should now be able to propagate the dumps from master to slave.
-
-
.. _prop_failed_end:
Modified: trunk/doc/rst_source/krb_admins/install_kdc/krb_daemon.rst
===================================================================
--- trunk/doc/rst_source/krb_admins/install_kdc/krb_daemon.rst 2011-11-04 05:53:23 UTC (rev 25433)
+++ trunk/doc/rst_source/krb_admins/install_kdc/krb_daemon.rst 2011-11-04 17:13:39 UTC (rev 25434)
@@ -1,7 +1,8 @@
Start the Kerberos daemons on the master KDC
===============================================
-At this point, you are ready to start the Kerberos KDC and administrative daemons on the Master KDC. To do so, type::
+At this point, you are ready to start the Kerberos KDC (:ref:`krb5kdc(8)`) and
+administrative daemons on the Master KDC. To do so, type::
shell% /usr/local/sbin/krb5kdc
shell% /usr/local/sbin/kadmind
@@ -13,6 +14,8 @@
you can add them to the KDC's */etc/rc* or */etc/inittab* file.
You need to have a :ref:`stash_definition` in order to do this.
+
+
You can verify that they started properly by checking for their startup messages in the logging locations
you defined in */etc/krb5.conf*. (See :ref:`logging`).
For example::
@@ -25,6 +28,12 @@
Any errors the daemons encounter while starting will also be listed in the logging output.
+As an additional verification, check if *kinit* succeeds against the principals that
+you have created on the previous step (:ref:`addadmin_kdb`). Run::
+
+ shell% /usr/local/bin/kinit admin/admin at ATHENA.MIT.EDU
+
+
You are now ready to start configuring the slave KDCs.
.. note:: Assuming you are setting the KDCs up so that you can easily switch the master KDC with one of the slaves,
Modified: trunk/doc/rst_source/krb_admins/install_kdc/mod_conf.rst
===================================================================
--- trunk/doc/rst_source/krb_admins/install_kdc/mod_conf.rst 2011-11-04 05:53:23 UTC (rev 25433)
+++ trunk/doc/rst_source/krb_admins/install_kdc/mod_conf.rst 2011-11-04 17:13:39 UTC (rev 25434)
@@ -10,6 +10,14 @@
and this section will explain those.
For more information on Kerberos V5 configuration files see :ref:`krb5.conf` and :ref:`kdc.conf`.
+If the locations for these configuration files differs from the default ones,
+set *KRB5_CONFIG* and *KRB5_KDC_PROFILE* environment variables to point to the
+*krb5.conf* and *kdc.conf* respectively.
+For example::
+
+ export KRB5_CONFIG=/yourdir/krb5.conf
+ export KRB5_KDC_PROFILE=/yourdir/kdc.conf
+
*krb5.conf*
-------------
@@ -26,6 +34,9 @@
[libdefaults]
default_realm = ATHENA.MIT.EDU
+ # if the default location does not suit your setup,
+ # explicitly configure the keytab location:
+ # default_keytab_name = FILE:/var/krb5kdc/krb5.keytab
[realms]
ATHENA.MIT.EDU = {
@@ -53,11 +64,23 @@
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal aes128-cts-hmac-sha1-96:normal
+ # if the default location does not suit your setup,
+ # explicitly configure the following four values:
+ # database_name = /var/krb5kdc/principal
+ # key_stash_file = /var/krb5kdc/.k5.ATHENA.MIT.EDU
+ # admin_keytab = FILE:/var/krb5kdc/kadm5.keytab
+ # acl_file = /var/krb5kdc/kadm5.acl
}
-Replace *ATHENA.MIT.EDU* and *kerberos.mit.edu* with the name of your Kerberos realm and server respectively.
+Replace *ATHENA.MIT.EDU* and *kerberos.mit.edu* with the name of your Kerberos *realm* and *server* respectively.
+.. note:: You have to have write permission on the target directories
+ (these directories must exist) used by
+ *database_name, key_stash_file, admin_keytab* and *acl_file*
+
+
+
------------
Feedback:
Modified: trunk/doc/rst_source/krb_admins/install_kdc/slave_install.rst
===================================================================
--- trunk/doc/rst_source/krb_admins/install_kdc/slave_install.rst 2011-11-04 05:53:23 UTC (rev 25433)
+++ trunk/doc/rst_source/krb_admins/install_kdc/slave_install.rst 2011-11-04 17:13:39 UTC (rev 25434)
@@ -16,7 +16,7 @@
For example, if the master KDC were called *kerberos.mit.edu*, and you had slave KDC named *kerberos-1.mit.edu*,
you would type the following::
- shell% /usr/local/sbin/kadmin
+ shell% /usr/local/bin/kadmin
kadmin: addprinc -randkey host/kerberos.mit.edu
NOTICE: no policy specified for "host/kerberos.mit.edu at ATHENA.MIT.EDU"; assigning "default"
Principal "host/kerberos.mit.edu at ATHENA.MIT.EDU" created.
@@ -73,10 +73,11 @@
You will now initialize the slave database::
- kdb5_util create
+ shell% /usr/local/sbin/kdb5_util create
-Caution: you will use :ref:`kdb5_util(8)` but without exporting the stash file (-s argument), i
-thus avoiding the obliteration of the one you just copied from the master.
+.. caution:: You will use :ref:`kdb5_util(8)` but without exporting the stash file (-s argument), i
+ thus avoiding the obliteration of the one you just copied from the master.
+
When asking for the database Master Password, type in anything you want.
The whole dummy database will be erased upon the first propagation from master.
@@ -96,6 +97,8 @@
Then, add the following line to */etc/inetd.conf* file on each KDC (Adjust the path to *kpropd*)::
krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd
+ eklogin stream tcp nowait root /usr/local/sbin/klogind klogind -5 -c -e
+
You also need to add the following lines to */etc/services* on each KDC (assuming that default ports are used)::
@@ -105,12 +108,22 @@
krb5_prop 754/tcp # Kerberos slave propagation
kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp)
kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp)
-
-.. note:: Do not start slave KDC - you still do not have a copy of the master's database.
+Restart *inetd* daemon.
+
+
+Alternatively, start :ref:`kpropd(8)` as a stand-alone daemon "kpropd -S" or,
+if the default locations must be overridden,::
+
+ shell% /usr/local/sbin/kpropd -S -a path-to-kpropd.acl -r ATHENA.MIT.EDU -f /var/krb5kdc/from_master
+
+ waiting for a kprop connection
+
Now that the slave KDC is able to accept database propagation, you’ll need to propagate the database from the master server.
+NOTE: Do not start slave KDC - you still do not have a copy of the master's database.
+
------------
Feedback:
Modified: trunk/doc/rst_source/relay/build_this.rst
===================================================================
--- trunk/doc/rst_source/relay/build_this.rst 2011-11-04 05:53:23 UTC (rev 25433)
+++ trunk/doc/rst_source/relay/build_this.rst 2011-11-04 17:13:39 UTC (rev 25434)
@@ -96,7 +96,7 @@
6. Rebuild Sphinx source. From the *trunk/doc/rst_source* run::
- sphinx-build . output_dir
+ sphinx-build . output_dir
.. _Part_B:
Modified: trunk/doc/rst_source/relay/index.rst
===================================================================
--- trunk/doc/rst_source/relay/index.rst 2011-11-04 05:53:23 UTC (rev 25433)
+++ trunk/doc/rst_source/relay/index.rst 2011-11-04 17:13:39 UTC (rev 25434)
@@ -1,3 +1,5 @@
+About this project
+======================
.. toctree::
:maxdepth: 1
More information about the cvs-krb5
mailing list