Replicated LDAP as backend

Paul van der Vlis paul at vandervlis.nl
Thu Jul 24 18:45:46 EDT 2014


op 24-07-14 19:16, Robert Wehn schreef:
> 
> Am 24.07.2014 11:44, schrieb Paul van der Vlis:

>> I am wondering a bit why this does not work on a client on the new
>> leocation:
>> -------
>> root at client:~# kadmin -p paul/admin -q "ktadd nfs/$(hostname --fqdn)"
>> Authenticating as principal paul/admin with password.
>> Password for paul/admin at DOMAIN.NL:
>> kadmin: Kerberos database constraints violated while changing
>> nfs/client.domain.nl's key
>> --------
>> Maybe kadmin tries to write something to the LDAP?
>> Or is it not-related?
>> On the old location this works fine.
> as Benjamin pionted out, if your LDAP Backend is master/slave, the on
> the slave location the Kerberos Server is also a slave, as changes can't
> be done there (not replicated back).
> 
> So your kadmin server can only be on the "Master Site", no "kadmin" to
> the slave server is possible. If your Master Server is not reachable
> kadmin (and password changes) cannot be done until the connection is
> online again.

The command I give is to download a key, not to change anything.
But maybe it tries to write something too, no idea.

Does it make sence to run krb5-admin-server at the slave-kdc server on
the new location or is it better to stop this service?

I think it's a good idea to change the "admin_server" setting in
/etc/krb5.conf on the new location to the server at the old location.
Correct?

With regards,
Paul van der Vlis.




-- 
Paul van der Vlis Linux systeembeheer, Groningen
http://www.vandervlis.nl


More information about the Kerberos mailing list