master and n-slaves, stash file and LDAP backend in an automated environment

Diogenes S. Jesus splash at gmail.com
Tue Jun 28 09:58:59 EDT 2016


Hi everyone.

I'm currently struggling to make krb5kdc start without a stash file - and
no prompt.

As I understood[1] the stash file stores the encrypted master key. This
file is used to automate the start up of KDC to decrypt the local (as in
on-disk) krb database. However the definition is not really that [2] -
stash is used to authenticate the KDC to itself.

However, I'm currently using LDAP backed and I have no local (on disk)
database on my master.
I'm not using (and don't plan to use) Kerberos built-in replication - I'm
relying on LDAP replicas providing data for slave KDCs, thus taking
advantage of LDAP built-in replication.

That said, what's the role of the stash file in this scenario? To decrypt
krbPrincipalKey LDAP attribute?
If then, all KDCs, regardless of being slave or not, must have the same
stash file - then comes the question: what's the best practice when
spawning new kdcs to retrieve the one shared stash? I think I may have the
answer already - use wallet file object, for example, but any
idea/experience in the area would help.

Thanks in advance.

[1]
https://books.google.com/books?id=dGMd-uay-lkC&printsec=frontcover&redir_esc=y#v=onepage&q&f=false
- page 57
[2] http://web.mit.edu/Kerberos/krb5-1.13/doc/basic/stash_file_def.html
-- 

--------
Dio


More information about the Kerberos mailing list