Kerberos master-slave setup : Database propagation, and KDC & KADMIN switching
Greg Hudson
ghudson at mit.edu
Sat Mar 21 23:03:16 EDT 2015
On 03/21/2015 10:28 PM, HARMAN wrote:
> I started xinetd service, and tried propagating database (without starting
> kpropd, as I have not configured incremental propagation), and it gave me
> an error:
> kprop: Connection refused while connecting to server
I couldn't figure out what's wrong here. kpropd ought to be able to run
out of inetd or a similar service if you aren't doing incremental
propagation.
> 2. Do we need to add Kerberos Administration Server (admin_server) for
> slave KDC in krb5.conf? OR In other words, can we have more than one
> admin_server properties configured in krb5.conf?
Not presently. The kadmin client code currently only handles one server
hostname.
> 3. Can we start Kerberos Administration Server on a slave KDC machine, as
> specified in MIT documentation?
Yes, but it might not be a good idea--any changes made through a slave's
kadmind service will be overwritten by the next propagation.
> I tried starting Kerberos Administration Server (kadmind) on my new master
> and I got an error:
> Error. This appears to be a slave server, found kpropd.acl
That error is coming from Red Hat's system scripts, not from kadmind itself.
More information about the Kerberos
mailing list