Kerberos master-slave setup : Database propagation, and KDC & KADMIN switching
HARMAN
punjabibecks at gmail.com
Sat Mar 21 23:13:24 EDT 2015
Hi Greg
Thanks a lot for such a great explanation.
I really appreciate all the effort.
Just a little more info on the 1st point, I cannot see any incoming
connections in messages unless I do not start a kprop.
Mar 21 14:40:55 my-slave-host xinetd[22894]: xinetd Version 2.3.14 started
with libwrap loadavg labeled-networking options compiled in.
Mar 21 14:40:55 my-slave-host xinetd[22894]: Started working: 0 available
services
Mar 22 01:10:42 my-slave-host kpropd[24213]: Connection from my-master-host
Anything you could think of that I might have configured wrong ?
Thanks,
Harman
On Sun, Mar 22, 2015 at 8:33 AM, Greg Hudson <ghudson at mit.edu> wrote:
> On 03/21/2015 10:28 PM, HARMAN wrote:
> > I started xinetd service, and tried propagating database (without
> starting
> > kpropd, as I have not configured incremental propagation), and it gave me
> > an error:
> > kprop: Connection refused while connecting to server
>
> I couldn't figure out what's wrong here. kpropd ought to be able to run
> out of inetd or a similar service if you aren't doing incremental
> propagation.
>
> > 2. Do we need to add Kerberos Administration Server (admin_server) for
> > slave KDC in krb5.conf? OR In other words, can we have more than one
> > admin_server properties configured in krb5.conf?
>
> Not presently. The kadmin client code currently only handles one server
> hostname.
>
> > 3. Can we start Kerberos Administration Server on a slave KDC machine, as
> > specified in MIT documentation?
>
> Yes, but it might not be a good idea--any changes made through a slave's
> kadmind service will be overwritten by the next propagation.
>
> > I tried starting Kerberos Administration Server (kadmind) on my new
> master
> > and I got an error:
> > Error. This appears to be a slave server, found kpropd.acl
>
> That error is coming from Red Hat's system scripts, not from kadmind
> itself.
>
--
HARMAN
More information about the Kerberos
mailing list