Installing Slave KDC

Ken Hornstein kenh at cmf.nrl.navy.mil
Thu Jul 11 12:47:28 EDT 2002


>You do BOTH ktadd's on the master, then copy (SAFELY) that keytab to the
>slave.

That's bad advice, IMHO.

One common problem people run into when setting up their second KDC is
that at that point, they don't really understand what the host secret
is _for_, and they're not aware of the subtle fact that ktadd generates
a new key.

So many people end up doing "ktadd" of BOTH principals on BOTH KDCs, and
of course that screws things up royally, because the principals in one
keytab don't match what's stored in the database.

To reinforce the idea that you really want one principal per host/keytab,
I always tell people to run kadmin/ktadd on the destination host ... e.g,
make sure "ktadd host/kerberos-2" ONLY happens on kerberos-2.  Yes, you
can ktadd everything on the master and copy the keytab over, but that has
two problems:

- You're UNNECESSARILY exposing the other host's key on each host.  Admittedly,
  since it's the KDC and has a copy of the whole freaking database, then
  it's probably moot, but still ... and maybe you're one of the few people
  in the world who doesn't use a stash file :-)
- It's not clear at that point that you really really need to copy the keytab
  securely.  If you make sure you use kadmin, then it does it for you.

--Ken



More information about the Kerberos mailing list