kdb5_util dump on host1 && kdb5_util load on host2
Turbo Fredriksson
turbo at bayour.com
Tue May 21 12:50:20 EDT 2002
How it this done?
I'm currently running my KDC/Admin server on one host, but I was
planning on removing that, and put it on two spare SPARC (SS4)
that I have laying around...
I've installed the kdc and the admin server on the new machine,
(called tuzjfi). On papadoc (the current KDC) I'm dumping the
database once every day, giving me the file 'krb5-20020521'...
How do I load this on tuzjfi? Initializing the db on tuzjfi
(with 'krb5_newrealm' - Debian GNU/Linux packages), and then
issuing 'kdb5_util load krb5-20020521' will result in an error.
----- s n i p -----
tuzjfi:~# krb5_newrealm
This script should be run on the master KDC/admin server to initialize
a Kerberos realm. It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash. You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered. However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Initializing database '/var/lib/krb5kdc/principal' for realm 'BAYOUR.COM',
master key name 'K/M at BAYOUR.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
Authenticating as principal root/admin at BAYOUR.COM with password.
Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
Authenticating as principal root/admin at BAYOUR.COM with password.
Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
Starting Kerberos KDC: krb5kdc krb524d.
Starting Kerberos Administration Servers: kadmind v5passwdd.
Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers. Kerberos admin
principals usually belong to a single user and end in /admin. For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.
Don't forget to set up DNS information so your clients can find your
KDC and admin servers. Doing so is documented in the administration
guide.
tuzjfi:~#
----- s n i p -----
Naturally the master key is different from papadoc (I would like to
keep it that way if possible, dont want to have the same identical
pw on both the new KDC's).
Now, this is where I load my dump from papadoc.
----- s n i p -----
tuzjfi:~# /etc/init.d/krb5-admin-server stop
Stopping Kerberos Administration Servers: kadmind v5passwdd.
tuzjfi:~# /etc/init.d/krb5-kdc stop
Stopping Kerberos KDC: krb5kdc krb524d.
tuzjfi:~# kdb5_util load krb5-20020521
tuzjfi:~#
----- s n i p -----
Just in case, I stopped the services.
Then it's time to start the services, but that is not possible...
----- s n i p -----
tuzjfi:~# /etc/init.d/krb5-admin-server start
Starting Kerberos Administration Servers: kadmind: Decrypt integrity check failed while initializing, aborting
kadmind v5passwdd.
tuzjfi:~# /etc/init.d/krb5-kdc start
Starting Kerberos KDC: krb5kdc: cannot initialize realm BAYOUR.COM
krb5kdckrb524d: Decrypt integrity check failed initializing kadm5 library
krb524d.
tuzjfi:~#
----- s n i p -----
--
World Trade Center Khaddafi KGB munitions Legion of Doom explosion
Semtex Cuba congress PLO NORAD SDI Mossad 747 cryptographic
[See http://www.aclu.org/echelonwatch/index.html for more about this]
More information about the Kerberos
mailing list