Replicated LDAP as backend
tomas.kuthan
tomas.kuthan at oracle.com
Fri Jul 25 00:59:15 EDT 2014
ktadd generates a new random key and stores this new key in the keytab, so this too has to be done on the master.
Tomas
-------- Original message --------
From: Paul van der Vlis <paul at vandervlis.nl>
Date: 25/07/2014 00:45 (GMT+01:00)
To: Robert Wehn <robert.wehn at rz.uni-augsburg.de>,kerberos at mit.edu
Subject: Re: Replicated LDAP as backend
op 24-07-14 19:16, Robert Wehn schreef:
>
> Am 24.07.2014 11:44, schrieb Paul van der Vlis:
>> I am wondering a bit why this does not work on a client on the new
>> leocation:
>> -------
>> root at client:~# kadmin -p paul/admin -q "ktadd nfs/$(hostname --fqdn)"
>> Authenticating as principal paul/admin with password.
>> Password for paul/admin at DOMAIN.NL:
>> kadmin: Kerberos database constraints violated while changing
>> nfs/client.domain.nl's key
>> --------
>> Maybe kadmin tries to write something to the LDAP?
>> Or is it not-related?
>> On the old location this works fine.
> as Benjamin pionted out, if your LDAP Backend is master/slave, the on
> the slave location the Kerberos Server is also a slave, as changes can't
> be done there (not replicated back).
>
> So your kadmin server can only be on the "Master Site", no "kadmin" to
> the slave server is possible. If your Master Server is not reachable
> kadmin (and password changes) cannot be done until the connection is
> online again.
The command I give is to download a key, not to change anything.
But maybe it tries to write something too, no idea.
Does it make sence to run krb5-admin-server at the slave-kdc server on
the new location or is it better to stop this service?
I think it's a good idea to change the "admin_server" setting in
/etc/krb5.conf on the new location to the server at the old location.
Correct?
With regards,
Paul van der Vlis.
--
Paul van der Vlis Linux systeembeheer, Groningen
http://www.vandervlis.nl
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list