Functional test of KDC for monitoring?
John Devitofranceschi
jdvf at optonline.net
Wed Feb 13 07:12:36 EST 2013
On Jan 15, 2013, at 9:58 AM, Nico Williams <nico at cryptonector.com> wrote:
> On Tue, Jan 15, 2013 at 12:38 AM, Roland C. Dowdeswell <elric at imrryr.org> wrote:
>> And [to the MIT developers], I think that it would be nice if there
>> were either (1) functionality within Kerberos which allowed for
>> the writing of programs such as this without overriding functions,
>> i.e. allow library users to tell the libs to use a particular KDC;
>> or (2) if k5ping or a similar program were integrated into MIT
>> Kerberos to aid in monitoring as this is a need that all enterprise
>> deployments of Kerberos need.
>
> I second this. k5ping is much too useful and conceptually simple to
> be so difficult to implement.
>
One thing that we do is monitor propagation. Something like:
lpc=get_last_princ_changed;
master_lpc_kvno=get_kvno(master_kdc, lpc);
init_error_state;
foreach kdc (@slave_kdc_list) ; do
slave_lpc_kvno= get_kvno(kdc, lpc);
if (master_lpc_kvno != slave_lpc_kvno)
then
set_error_state;
fi
done
report_error_state;
The challenge that I see is getting the last princ changed. You can scrape the logs or run the monitor on the master and use kproplog.
What would be nice is if kadmin had client-visible requests that gave you visibility into iprop status.
jd
> Nico
> --
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list