How to Configure a Slave KDC
In this procedure, a new slave KDC named kdc3 is configured. This procedure uses the following configuration parameters:
Realm name = EXAMPLE.COM
DNS domain name = example.com
Master KDC = kdc1.example.com
Slave KDC = kdc2.example.com and kdc3.example.com
admin principal = kws/admin
Online help URL = http://denver:8888/ab2/coll.384.1/SEAM/@AB2PageView/6956
Note - Adjust the URL to point to the "SEAM Administration Tool" section, as described in the "Online Help URL".
Complete the prerequisites for configuring a slave KDC.
The master KDC must be configured. For specific instructions if this slave is to be swappable, see "Swapping a Master KDC and a Slave KDC".
On the master KDC, become superuser.
On the master KDC, start kadmin.
You must log on with one of the admin principal names that you created when you configure the master KDC.
kdc1 # /usr/sbin/kadmin -p kws/admin Enter password: <Enter kws/admin password> kadmin:
On the master KDC, add slave host principals to the database, if not already done.
In order for the slave to function, it must have a host principal. Note that when the principal instance is a host name, the FQDN must be entered in lowercase letters, regardless of the case of the domainname in the /etc/resolv.conf file.
kadmin: addprinc -randkey host/kdc3.example.com Principal "host/kdc3@EXAMPLE.COM" created. kadmin:
- (Optional)
On the master KDC, create the slave KDC root principal.
This principal is only needed if the slave will be NFS-mounting an authenticated file system. Note that when the principal instance is a host name, the FQDN must be entered in lowercase letters, regardless of the case of the domainname in the /etc/resolv.conf file.
kadmin: addprinc root/kdc3.example.com Enter password for principal root/kdc3.example.com@EXAMPLE.COM: <type the password> Re-enter password for principal root/kdc3.example.com@EXAMPLE.COM: <type it again> Principal "root/kdc3.example.com@EXAMPLE.COM" created. kadmin:
Quit kadmin.
kadmin: quit
On the master KDC, edit the Kerberos configuration file (krb5.conf).
You need to add an entry for each slave. See the krb5.conf(4) man page for a full description of this file.
kdc1 # cat /etc/krb5/krb5.conf [libdefaults] default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = kdc1.example.com kdc = kdc2.example.com kdc = kdc3.example.com admin_server = kdc1.example.com } [domain_realm] .example.com = EXAMPLE.COM # # if the domain name and realm name are equivalent, # this entry is not needed # [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log [appdefaults] gkadmin = { help_url = http://denver:8888/ab2/coll.384.1/SEAM/@AB2PageView/6956On the master KDC, add an entry for each slave KDC into the database propagation configuration file (kpropd.acl).
See the kprop(1M) man page for a full description of this file.
kdc1 # cat /etc/krb5/kpropd.acl host/kdc1.example.com@EXAMPLE.COM host/kdc2.example.com@EXAMPLE.COM host/kdc3.example.com@EXAMPLE.COM
On all slave KDCs, copy the KDC administration files from the master KDC server.
This step needs to be followed on all slave KDCs, since the master KDC server has updated information that each KDC server needs. You can use ftp or a similar transfer mechanism to grab copies of the following files from the master KDC:
/etc/krb5/krb5.conf
/etc/krb5/kdc.conf
/etc/krb5/kpropd.acl
On the new slave, add the slave's host principal to the slave's keytab file by using kadmin.
You must log on with one of the admin principal names that you created when you configure the master KDC. This entry allows kprop and other Kerberized applications to function. Note that when the principal instance is a host name, the FQDN must be entered in lowercase letters, regardless of the case of the domainname in the /etc/resolv.conf file.
kdc3 # /usr/sbin/kadmin -p kws/admin Enter password: <Type kws/admin password> kadmin: ktadd host/kdc3.example.com kadmin: Entry for principal host/kdc3.example.com with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/krb5.keytab kadmin: quit
On the master KDC, add slave KDC names to the cron job, which automatically runs the backups, by running crontab -e.
Add the name of each slave KDC server at the end of the kprop_script line.
10 3 * * * /usr/lib/krb5/kprop_script kdc2.example.com kdc3.example.com
You might also want to change the time of the backups. This configuration starts the backup process every day at 3:10 AM.
On the master KDC, back up and propagate the database by using kprop_script.
If a backup copy of the database is already available, it is not necessary to complete another backup. See "How to Manually Propagate the Kerberos Database to the Slave KDCs" for further instructions.
kdc1 # /usr/lib/krb5/kprop_script kdc3.example.com Database propagation to kdc3.example.com: SUCCEEDED
On the new slave, create a stash file by using kdb5_util.
kdc3 # /usr/sbin/kdb5_util stash kdb5_util: Cannot find/read stored master key while reading master key kdb5_util: Warning: proceeding without master key Enter KDC database master key: <type the key>
- (Optional)
On the new slave KDC, synchronize the master KDCs clock by using NTP or another clock synchronization mechanism.
It is not required to install and use the Network Time Protocol (NTP). However, every clock must be within the default time that is defined in the libdefaults section of the krb5.conf file in order for authentication to succeed. See "Synchronizing Clocks between KDCs and SEAM Clients" for information about NTP.
On the new slave, start the KDC daemon (krb5kdc).
kdc3 # /etc/init.d/kdc start