Kerberos 5, kprop problem
Norbert Veber
nveber at pyre.virge.net
Thu Apr 18 14:10:44 EDT 2002
Ken Hornstein wrote:
>>Hmm. To quote the manual:
>>MIT recommends that your KDCs have a predefined set of CNAME records
>>(DNS hostname aliases), such as kerberos for the master KDC and
>>kerberos-1, kerberos-2, ... for the slave KDCs. This way, if you need to
>>swap a machine, you only need to change a DNS entry, rather than having
>>to change hostnames.
>
> Right, but that's not what you're doing. You always need to use the
> canonical name ... the REAL name. You shouldn't create service tickets
> using aliases (don't create a service ticket called "host/kerberos").
I am not creating a service ticket (unless kprop is doing it behind the
scenes). These are just the pricipals for the KDC's, to quote the
manual again:
Each KDC needs a host principal in the Kerberos database. You can enter
these from any host, once the kadmind daemon is running. For example, if
your master KDC were called kerberos.mit.edu, and you had two KDC slaves
named kerberos-1.mit.edu and kerberos-2.mit.edu, you would type the
following:
shell% /usr/local/sbin/kadmin
kadmin: addprinc -randkey host/kerberos.mit.edu
etc..
So the manual says to make CNAME records for your KDC's called
kerberos, kerberos-2, etc. Then to add those CNAME records as
principals. So either you or the manual is wrong, or I'm very dense and
I dont get it :)
Frankly it wouldnt make sense to create kerberos, kerberos-1, etc
CNAMES, and then use canonical names everywhere. Whats the point of
having the CNAME then? The whole idea is that you can switch KDC's -
make a slave into master and vice versa easily by changing the CNAME to
point to the correct canonical names, and making some changes in the
kerberos configuration.
See section: "Switching Master and Slave KDCs"
This procedure would be alot more involved if you used canonical names..
> This is part of the confusion about a CNAME record. The canonical name
> is the part on the right side of the record; the left side of the
> CNAME record is the alias. In Kerberos, you never create principals using
> the alias (well, you _can_, but on Unix implementations, it's almost always
> a bad idea).
If thats true, then the manual needs to be corrected.
More information about the Kerberos
mailing list