Replicated LDAP as backend
Paul van der Vlis
paul at vandervlis.nl
Thu Jul 24 18:45:46 EDT 2014
op 24-07-14 19:16, Robert Wehn schreef:
>
> Am 24.07.2014 11:44, schrieb Paul van der Vlis:
>> I am wondering a bit why this does not work on a client on the new
>> leocation:
>> -------
>> root at client:~# kadmin -p paul/admin -q "ktadd nfs/$(hostname --fqdn)"
>> Authenticating as principal paul/admin with password.
>> Password for paul/admin at DOMAIN.NL:
>> kadmin: Kerberos database constraints violated while changing
>> nfs/client.domain.nl's key
>> --------
>> Maybe kadmin tries to write something to the LDAP?
>> Or is it not-related?
>> On the old location this works fine.
> as Benjamin pionted out, if your LDAP Backend is master/slave, the on
> the slave location the Kerberos Server is also a slave, as changes can't
> be done there (not replicated back).
>
> So your kadmin server can only be on the "Master Site", no "kadmin" to
> the slave server is possible. If your Master Server is not reachable
> kadmin (and password changes) cannot be done until the connection is
> online again.
The command I give is to download a key, not to change anything.
But maybe it tries to write something too, no idea.
Does it make sence to run krb5-admin-server at the slave-kdc server on
the new location or is it better to stop this service?
I think it's a good idea to change the "admin_server" setting in
/etc/krb5.conf on the new location to the server at the old location.
Correct?
With regards,
Paul van der Vlis.
--
Paul van der Vlis Linux systeembeheer, Groningen
http://www.vandervlis.nl
More information about the Kerberos
mailing list