2

I am trying to setup Kerberos on Redhat with slaves and database propagation (not incremental). I am going through MIT's documentation for KDC installation and configuration. Currently, I have three doubts/issues:

  1. Do we need kpropd running on slave KDC, even if we do not have incremental propagation ?

    I started xinetd service, and tried propagating database (without starting kpropd, as I have not configured incremental propagation), and it gave me an error:

    kprop: Connection refused while connecting to server

    However, when I started kpropd in the same setup without any configuration change, I was able to successfully propagate the database.

    As per the document, it says

    [Re]start inetd daemon. Alternatively, start kpropd as a stand-alone daemon. This is required when incremental propagation is enabled.

    I went through MIT's Troubleshooting page as well, and it said the same, i.e. inetd can run kprop.

    My inetd.conf:

    krb5_prop stream tcp nowait root /usr/sbin/kpropd kpropd

  2. Do we need to add Kerberos Administration Server (admin_server) for slave KDC in krb5.conf? OR In other words, can we have more than one admin_server properties configured in krb5.conf?

    Since we are configuring a master-slave setup and can switch to a slave KDC creating it a new master at any point of time. We would need to start a Kerberos Administration Server (kadmind) on the new master, as well. Do we need to have hosts for both the admin servers listed in the krb5.conf file?

    I tried adding both the hosts, but it turns out that this property only picks the last configured one.

    My krb5.conf looks like:

    [libdefaults]
default_realm = KRB.MY.DOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 1h
renew_lifetime = 2h
forwardable = true

[realms]
KRB.MY.DOMAIN = {
kdc = old-master-host.my.domain
kdc = new-master-host.my.domain
admin_server = old-master-host.my.domain
admin_server = new-master-host.my.domain
}

[domain_realm]
.my.domain = KRB.MY.DOMAIN

    In such a case, admin server would be looked only at new-master-host.my.domain, even if it is running on old-master-host.my.domain.

  3. Can we start Kerberos Administration Server on a slave KDC machine, as specified in MIT documentation?

    I tried starting Kerberos Administration Server (kadmind) on my new master and I got an error:

    Error. This appears to be a slave server, found kpropd.acl

    Is it not advisable to start the Administration server on the slave machine or do we have to [re]move the kpropd.acl file before we can start Administration server?

I would really appreciate any pointers or help.

4

1 回答 1

1

回答您的问题:

  1. 是的,您需要在辅助 KDC 服务器上运行 kpropd 和 krb5kdc 服务。
  2. 无需在主从 KDC 设置中设置第二个管理服务器。您可以将 krb5.conf 和 kdc.conf 文件从主 KDC 复制到辅助 KDC。
  3. 如果您正在运行 kpropd 服务,则无法在辅助 KDC 服务器上启动 kadmind。

我已使用此 RH 文档页面来设置主从 KDC 服务器:https ://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Configuring_a_Kerberos_5_Server.html

于 2015-08-06T18:36:10.427 回答