Few quick questions
klaas hagemann
klaas at northsailor.de
Tue Jul 30 02:39:43 EDT 2002
Hi Monica,
actually i am not sure, whether the server will start without the krb5.conf file or not. But as far as i see it, the krb5.conf file hosts the configuration for the client side. so e.g. which server is used and so on. Which value do you think take effekt on the server? I see your point concerning the clock skew, but for the ticket lifetime there is a maximum in the kdc.conf and a "request value" in the krb5.conf (although it does not seem to work this way....). About the clock skew do not bother at all, keep your clocks synchronized using ntp or something similar.
When you want to change a slave kdc into a master kdc you have to make changes manually (start kadmind-deamon, create kadmin-keytabs, start replication...) and you have to take back these changes afterwards. So anyway, there is a lot of to do. You can write a small skript doing this for you (maybe you already use kererized ssh for transferring this automatically), but i do not know about a kerberos procedure for that.
Maybe you can first set up the broken master server as a slave server, start replikation and then switch again? This is almost the same as dumping and loading it....
Klaas
----- Original Message -----
From: Monica Lau
To: klaas hagemann ; kerberos at mit.edu
Sent: Monday, July 29, 2002 10:49 PM
Subject: Re: Few quick questions
Hi Klaas,
Thanks for your help! I'm a bit confused by the krb5.conf file -- doesn't the server also read this configuration file at start up? Also, I see your point in dumping the slave kdc database and then loading that onto the master kdc database manually -- but is there some way to automate this process safely?
Thanks,
Monica
klaas hagemann wrote:
Hi Monica,
as far as i understood it, changes in krb5.conf take affect immediatly. This is a Client side konfiguration file, which is used by kinit and other "kerberized" applikations.
You can make a dump of the slave kdc manually and load it in the master kdc by hand. This is no problem. Even creating a new master kdc is possible. Maybe you have to create the kadmin-keytabs and the stash-file again, but that is no problem.
Kerberos uses the system time. so you need to have an external way to get your system times synchronised, like an ntp-server.
Klaas
----- Original Message -----
From: Monica Lau
To: kerberos at mit.edu
Sent: Monday, July 29, 2002 7:12 PM
Subject: Few quick questions
Hi all,
I'm very new to Kerberos, and I have some general questions below. Any suggestions is greatly appreciated. Thanks for your time and help!
1. In the krb5.conf file, I can specify the clock skew and ticket lifetime times. If I want to change these values after the kdc is already running, do I need to restart the kdc? Ithere some way that the kdc would read these values dynamically and take note of these changes?
2. Can slave KDC propagate its database back to the master KDC? Let's say that the master KDC goes down and the administrator makes changes to the slave KDC database. Now before we restart the master KDC, we want to update its database with the changes. Is it possible for slave KDC to propagate its database back to master?
3. How do I set the KDC time? Is there some kadmin options to do this?
Thanks,
Monica
--------------------------------------------------------------------------
Do You Yahoo!?
Yahoo! Health - Feel better, live better
------------------------------------------------------------------------------
Do You Yahoo!?
Yahoo! Health - Feel better, live better
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/kerberos/attachments/20020730/7f0af5d6/attachment.htm
More information about the Kerberos
mailing list