"If you choose to install a stash file..."

Daniel Kahn Gillmor dkg-mit.edu at fifthhorseman.net
Wed Jan 10 00:51:46 EST 2007


Sorry to be late for this discussion of the stash file.

In addition to needing to enter a passphrase to launch krb5kdc (with
the -m option), it looks like kdb5_util will also need a passphrase,
understandably.

This means that the traditional cronjob-triggered kprop -> kpropd
replication won't work either, right?

any suggestions for how to do speedy, automatic replication between
stashless KDCs?

i've got GSSAPI-enabled ssh functioning, so i was considering just
moving the entire principal.* fileset across the network with rsync,
but i'm not sure what would be necessary for the slave kdc to notice
that its database has been changed.  Can i send a SIGHUP or something
similar to get it to rescan, without needing to enter the master key
by hand again?

Is there some other method i could use to have a replicated, stashless
krb5 domain?

Thanks for any suggestions you might have,

	--dkg



More information about the Kerberos mailing list