Setting up slave KDC when realm info is in LDAP (initially created with kdb5_ldap_util)

[Holger Rauch]

Hi,

I'm using Debian Lenny with the standard MIT Kerberos and OpenLDAP
packages. So far, I've managed to setup up OpenLDAP delta syncrepl (so
I shouldn't need the kpropd (slave KDC)/kprop (master KDC) combo).

I googled about KDC slave setups but unfortunately didn't come accross
any HOWTO for LDAP related setups, only BDB ones.

I've copied the /etc/krb5.conf file of the master server
(/etc/krb5kdc/kdc.conf is a symlink pointing to /etc/krb5.conf since
that file contains all relevant entries). Furthermore,
kdchost2.our.domain runs the slave slapd and kdchost1.our.domain runs
the master slapd server.

When I try to start the slave KDC on host kdchost2.our.domain, I see
this error message in /var/log/kerberos/krb5kdc.log, even though I
copied the service.keyfile from the master KDC:

krb5kdc: Cannot find/read stored master key - while fetching master
key K/M for realm OUR.DOMAIN

It's not obvious to me why I'm getting this error message.

My /etc/krb5.conf file on the KDC slave host (named kdc.host2 in the
config below) looks like this (Both master KDC and admin server are
running on host kdchost1.our.domain; for the reasons of simplicity I
used the LDAP admin account for both kdc and kadmind dn since it's not
a publicly accessible network):

===

[kdcdefaults] 
kdc_ports = 750,88

[libdefaults]
default_realm = OUR.DOMAIN
#    dns_lookup_realm = true
#    dns_lookup_kdc = true
    passwd_check_s_address = false
    use_tcp_only = true
    ccache_type = 3
    forwardable = true
		
[appdefaults]
pam = {
	debug = true
	ticket_lifetime = 57600
	renew_lifetime = 57600
	forwardable = true
	krb4_convert = false
	}
kinit = {
	ticket_lifetime = 57600
	renew_lifetime = 57600
	forwardable = true
	}
pam-afs-session = {
        aklog_homedir = true
        minimum_uid = 10000
      }
						
[realms]
OUR.DOMAIN = {
database_name = ldap:ou=krb5,ou=org1,dc=ourou,dc=ourcomp
kdc = kdchost1.our.domain
kdc = kdchost2.our.domain
admin_server = kdchost1.our.domain
acl_file = /etc/krb5kdc/kadm5.acl
database_module = openldap_ldapconf
default_domain = our.domain
max_life = 16h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
}

OUR.OTHER.DOMAIN = {
database_name = ldap:ou=krb5,ou=org1,dc=ourou,dc=ourcomp
kdc = kdchost1.our.other.domain
kdc = kdchost2.our.other.domain
admin_server = kdchost1.our.other.domain
acl_file = /etc/krb5kdc/kadm5.acl
database_module = openldap_ldapconf
default_domain = our.other.domain
max_life = 16h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
}


[domain_realm]
.our.domain = OUR.DOMAIN
our.domain = OUR.DOMAIN
.subdom.our.domain = OUR.DOMAIN
subdom.our.domain = OUR.DOMAIN
#.our.other.domain = OUR.OTHER.DOMAIN
#our.other.domain = OUR.OTHER.DOMAIN

[login]
krb4_convert = true
krb4_get_tickets = false

[kdc]
database = {
dbname = ldap:ou=krb5,ou=org1,dc=ourou,dc=ourcomp
}

[dbdefaults]
ldap_kerberos_container_dn = dc=ourou,dc=ourcomp
database_module = openldap_ldapconf

[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kerberos_container_dn = ou=krb5,ou=org1,dc=ourou,dc=ourcomp
ldap_kdc_dn = "cn=admin,dc=ourou,dc=ourcomp"
ldap_kadmind_dn = "cn=admin,dc=ourou,dc=ourcomp"
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_servers = ldap://kdchost2.our.domain
ldap_conns_per_server = 5
}

[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
default = FILE:/var/log/kerberos/krb5lib.log

===

Any help will be greatly appreciated.

Thanks in advance & kind regards,

   Holger
   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20100605/8cc8d5e8/attachment.bin