Configuring the Slave KDC

Creating Host Keys for the Slave KDC

Each KDC needs a host service principal in the Kerberos database. You can create these from any host, once the kadmind daemon is running.

For example, if your master KDC runs on a machine named "rabbit.finance.bambi.com", and you now want to configure the KDC slave server on the machine named "kdc1.finance.bambi.com", you would need to do the following:

Now on rabbit.finance.bambi.com, you need to do the following:

The lines beginning with => is a continuation with the previous line.

shell% /opt/krb5/sbin/kadmin
kadmin: addprinc -randkey host/rabbit.finance.bambi.com
WARNING:no policy specified for "host/rabbit.finance.bambi.com";
=>defaulting to no policy.
Principal "host/rabbit.finance.bambi.com@finance.bambi.com" =>created
kadmin: ktadd -k /etc/krb5.keytab =>host/rabbit.finance.bambi.com

Now on kdc1.finance.bambi.com, you need to do the following:

kadmin: addprinc -randkey host/kdc1.finance.bambi.com
WARNING: no policy specified for "host/kdc1.finance.bambi.com
=> @finance.bambi.com"; defaulting to no policy.
Principal "host/kdc1.finance.bambi.com@finance.bambi.com"
=> created.
kadmin: ktadd -k /etc/krb.keytab host/kdc1

Configuring the Slave servers for Database Propagation

The database is propagated from the master KDC to the slave KDC using kprop and kpropd. To set up propagation, create a file on each KDC, named /var/adm/krb5/krb5kdc/kpropd.acl, containing the principals for each of the KDCs.

The kpropd.acl, is the access file for kpropd. Each entry in this file is a line containing a principal of a host from which the local machine will allow the Kerberos database propagation via kprop.

The general syntax for this is:

host/<master_kdc>@realm

For example, for the master KDC named "rabbit.finance.bambi.com", and the slave KDC named "kdc1.finance.bambi.com" and for the realm named "finance.bambi.com" the kpropd.acl's file contents on the slave server - "kdc1.finance.bambi.com" would be:

host/rabbit.finance.bambi.com@finance.bambi.com

The contents of the kpropd.acl file on the master KDC named, "rabbit.finance.bambi.com" would be:

host/kdc1.finance.bambi.com@finance.bambi.com

Then, add the following line to /etc/inetd.conf on each KDC.

krb5_prop stream tcp nowait root /opt/krb5/sbin/kpropd kpropd

This line sets up the kpropd database propagation daemon. Now run the /etc/inetd -c command to restart the inetd.

You also need to add the following lines to /etc/services on each KDC:

kerberos        88/udp  kdc  # Kerberos authentication (udp)
kerberos        88/tcp  kdc  # Kerberos authentication (tcp)
krb5_prop      754/tcp       # Kerberos slave propagation
kerberos-adm   749/tcp       # Kerberos 5 admin/changepw (tcp)
kerberos-adm   749/udp       # Kerberos 5 admin/changepw (udp)

Back on the Master KDC

Now that the slave KDC is able to accept database propagation, you will need to propagate the database to the slave KDC.

Propagate the Database to the Slave KDC

First, create a dump of the database on the master KDC, as follows:

The lines beginning with => is a continuation with the previous line.

shell% /opt/krb5/sbin/kdb5_util dump
=> /var/adm/krb5/krb5kdc/slave_datarans
shell%

Next, you need to manually propagate the database on the slave KDC, as in the following example.

The lines beginning with => is a continuation with the previous line.

/opt/krb5/sbin/kprop -f /var/adm/krb5/krb5/krb5kdc/slave_datatrans =>kdc1.finance.bambi.com

You can write a script to dump and propagate the database. The following is an example of a bourne shell script that will do this.

The lines beginning with => is a continuation with the previous line.

# !/bin/sh
kdclist = "kdc1.finance.bambi.com"
/opt/krb5/sbin/kdb5_util dump
=> /var/adm/krb5/krb5kdc/slave_datatrans
for kdc in $kdclist
do
/opt/krb5/sbin/kprop -f /var/adm/krb5/krb5kdc/slave_datatrans =>$kdc
done

You can set up a cron job to run this job at suitable intervals on the frequency of change.

Now that the slave KDCs have copies of the Kerberos database, you can create stash files for them and start the krb5kdc daemon.

Creating Stash Files on the Slave KDC

Create a stash file, by issuing the following command on the slave KDC:

shell% kdb5_util stash
kdb5_util: Cannot find/read stored master key while reading master key
kdb5_util: Warning: proceeding without master key
Enter KDC database master key: <= Enter the database Master Key
shell%

	NOTE: The Master database key you enter here should be the same as the Master KDC's.

As mentioned above, the stash file is necessary for your KDCs to be able to authenticate to themselves, such as when they reboot. You could run your krb5kdc without stash files, but you would need to type in the Kerberos database master key every time you start a krb5kdc daemon.

Starting the krb5kdc Daemon on the Slave KDC

The final step in configuring your slave KDCs is to run the KDC daemon:

shell% /opt/krb5/sbin/krb5kdc

Switching between the Master and Slave KDCs

You may occasionally want to use of one of your slave KDCs as the master. This might happen if you are upgrading the master KDC, or if your master KDC has experienced a problem.

Assuming you have configured your KDCs to be able to function as either the master KDC or a slave KDC, all you need to do to make this changeover is:

If the kadmind is still running on the master KDC, stop the kadmind process and do the following on the master KDC:

Now, on the new master KDC: