Kerberos master-slave setup : Database propagation, and KDC & KADMIN switching

HARMAN punjabibecks at gmail.com
Sat Mar 21 22:28:16 EDT 2015 

I am trying to setup Kerberos on Redhat with slaves and database
propagation (not incremental). I am going through MIT's documentation for
KDC installation and configuration. Currently, I have three doubts/issues:


1. Do we need kpropd running on slave KDC, even if we do not have
incremental propagation ?

I started xinetd service, and tried propagating database (without starting
kpropd, as I have not configured incremental propagation), and it gave me
an error:
kprop: Connection refused while connecting to server
However, when I started kpropd in the same setup without any configuration
change, I was able to successfully propagate the database.

As per the document, it says:
[Re]start inetd daemon. Alternatively, start kpropd as a stand-alone
daemon. This is required when incremental propagation is enabled.
I went through MIT's Troubleshooting page as well, and it said the same,
i.e. inetd can run kprop.

My inetd.conf:
krb5_prop stream tcp nowait root /usr/sbin/kpropd kpropd


2. Do we need to add Kerberos Administration Server (admin_server) for
slave KDC in krb5.conf? OR In other words, can we have more than one
admin_server properties configured in krb5.conf?

Since we are configuring a master-slave setup and can switch to a slave KDC
creating it a new master at any point of time. We would need to start a
Kerberos Administration Server (kadmind) on the new master, as well. Do we
need to have hosts for both the admin servers listed in the krb5.conf file?

I tried adding both the hosts, but it turns out that this property only
picks the last configured one.

e.g. if a krb5.conf looks like:
[realms]
KRB.MY.DOMAIN = {
kdc = old-master-host.my.domain
kdc = new-master-host.my.domain
admin_server = old-master-host.my.domain
admin_server = new-master-host.my.domain
}
[domain_realm]
.my.domain = KRB.MY.DOMAIN

In such a case, admin server would be looked only at
new-master-host.my.domain, even if it is running on
old-master-host.my.domain.


3. Can we start Kerberos Administration Server on a slave KDC machine, as
specified in MIT documentation?

I tried starting Kerberos Administration Server (kadmind) on my new master
and I got an error:
Error. This appears to be a slave server, found kpropd.acl

Is it not advisable to start the Administration server on the slave machine
or do we have to [re]move the kpropd.acl file before we can start
Administration server?

I would really appreciate any pointers or help.
Thanks in advance !

Regards,
Harman

More information about the Kerberos mailing list