Installing Slave KDC

[Turbo Fredriksson]

>>>>> "Monica" == Monica Lau <mllau2002 at yahoo.com> writes:

    Monica> 1. In order to propagate the master KDC's database to the
    Monica> slave KDC, do I need to first create the database on the
    Monica> slave KDC? 

I did load the dump from KDC-1 on KDC-2. Is this a problem? I have no
idea if it works without loading/creating the db on KDC-2 (the slave)...
 If so, do I follow the same steps as in
    Monica> creating the master KDC database?  Are the krb5.conf files
    Monica> the same on both KDCs?

They are on mine...

    Monica> 2. In the krb5.conf file, if it only contains the master
    Monica> KDC initially and then later, I decide to set up a slave
    Monica> KDC, do I need to add the slave KDC in the krb5.conf
    Monica> file?  Also, when does the krb5.conf file gets read?

Yes (I don't know if MIT Kerberos V uses the SRV records yet).

    Monica> 3. I'm very confused on the part about extracting host
    Monica> keytabs for the KDCs.  So, if my master KDC is "kerberos,"
    Monica> then on that machine, I would do "ktadd host/kerberos" 
    Monica> Then on my slave KDC, "kerberos-1," I would do "ktadd
    Monica> host/kerberos-1"  Are these steps correct?  Do I also have
    Monica> to do "ktadd host/kerberos-1" on the master KDC?

You do BOTH ktadd's on the master, then copy (SAFELY) that keytab to the
slave.

    Monica> 4. When I tried to propagate the master KDC database to
    Monica> the slave KDC, I got this error message:

    Monica> Error msg1:

    Monica> # ./kprop -f /usr/local/var/krb5kdc/slave_datatrans
    Monica> kerberos-1

    Monica> ./kprop: Server not found in Kerberos database while
    Monica> getting initial ticket

Most likley because you don't have 'host/kerberos' (if that's your
master KDC's name) in the slave's keytab...

    Monica> Error msg2:

    Monica>  # ./kprop -f /usr/local/var/krb5kdc/slave_datatrans
    Monica> kerberos-1 at REALM_NAME

    Monica> ./kprop: while setting server principal name

This is a principal, you should use a host to replicate to...

----- s n i p -----
[papadoc.pts/7]$ kprop --help

Usage: kprop [-r realm] [-f file] [-d] [-P port] [-s srvtab] slave_host
----- s n i p -----

    Monica> I don't know why I'm getting the first error message
    Monica> because host/kerberos-1 is in the database (saw this by
    Monica> typing "getprincs" in kadmin.local).  I tried the second
    Monica> format, and I don't understand the error message.

You need both 'host/kerberos' _AND_ 'host/kerberos-1' (master AND slave
principal) in the db, AND in the keytab...
-- 
munitions class struggle Delta Force Nazi Khaddafi radar Marxist Cuba
$400 million in gold bullion World Trade Center spy domestic
disruption colonel North Korea counter-intelligence
[See http://www.aclu.org/echelonwatch/index.html for more about this]