Kerberos master-slave setup : Database propagation, and KDC & KADMIN switching

[HARMAN]

Hi Greg

Thanks a lot for such a great explanation.

I really appreciate all the effort.

Just a little more info on the 1st point, I cannot see any incoming
connections in messages unless I do not start a kprop.
Mar 21 14:40:55 my-slave-host xinetd[22894]: xinetd Version 2.3.14 started
with libwrap loadavg labeled-networking options compiled in.
Mar 21 14:40:55 my-slave-host xinetd[22894]: Started working: 0 available
services
Mar 22 01:10:42 my-slave-host kpropd[24213]: Connection from my-master-host

Anything you could think of that I might have configured wrong ?

Thanks,
Harman


On Sun, Mar 22, 2015 at 8:33 AM, Greg Hudson <ghudson at mit.edu> wrote:

> On 03/21/2015 10:28 PM, HARMAN wrote:
> > I started xinetd service, and tried propagating database (without
> starting
> > kpropd, as I have not configured incremental propagation), and it gave me
> > an error:
> > kprop: Connection refused while connecting to server
>
> I couldn't figure out what's wrong here.  kpropd ought to be able to run
> out of inetd or a similar service if you aren't doing incremental
> propagation.
>
> > 2. Do we need to add Kerberos Administration Server (admin_server) for
> > slave KDC in krb5.conf? OR In other words, can we have more than one
> > admin_server properties configured in krb5.conf?
>
> Not presently.  The kadmin client code currently only handles one server
> hostname.
>
> > 3. Can we start Kerberos Administration Server on a slave KDC machine, as
> > specified in MIT documentation?
>
> Yes, but it might not be a good idea--any changes made through a slave's
> kadmind service will be overwritten by the next propagation.
>
> > I tried starting Kerberos Administration Server (kadmind) on my new
> master
> > and I got an error:
> > Error. This appears to be a slave server, found kpropd.acl
>
> That error is coming from Red Hat's system scripts, not from kadmind
> itself.
>



-- 
HARMAN