I am trying to setup Kerberos on Redhat with slaves and database propagation (not incremental). I am going through MIT's documentation for KDC installation and configuration. Currently, I have three doubts/issues:
Do we need kpropd running on slave KDC, even if we do not have incremental propagation ?
I started xinetd service, and tried propagating database (without starting kpropd, as I have not configured incremental propagation), and it gave me an error:
kprop: Connection refused while connecting to serverHowever, when I started kpropd in the same setup without any configuration change, I was able to successfully propagate the database.
As per the document, it says
[Re]start inetd daemon. Alternatively, start kpropd as a stand-alone daemon. This is required when incremental propagation is enabled.
I went through MIT's Troubleshooting page as well, and it said the same, i.e. inetd can run kprop.
My inetd.conf:
krb5_prop stream tcp nowait root /usr/sbin/kpropd kpropdDo we need to add Kerberos Administration Server (admin_server) for slave KDC in krb5.conf? OR In other words, can we have more than one admin_server properties configured in krb5.conf?
Since we are configuring a master-slave setup and can switch to a slave KDC creating it a new master at any point of time. We would need to start a Kerberos Administration Server (kadmind) on the new master, as well. Do we need to have hosts for both the admin servers listed in the krb5.conf file?
I tried adding both the hosts, but it turns out that this property only picks the last configured one.
My krb5.conf looks like:
[libdefaults] default_realm = KRB.MY.DOMAIN dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 1h renew_lifetime = 2h forwardable = true [realms] KRB.MY.DOMAIN = { kdc = old-master-host.my.domain kdc = new-master-host.my.domain admin_server = old-master-host.my.domain admin_server = new-master-host.my.domain } [domain_realm] .my.domain = KRB.MY.DOMAINIn such a case, admin server would be looked only at
new-master-host.my.domain, even if it is running onold-master-host.my.domain.Can we start Kerberos Administration Server on a slave KDC machine, as specified in MIT documentation?
I tried starting Kerberos Administration Server (kadmind) on my new master and I got an error:
Error. This appears to be a slave server, found kpropd.aclIs it not advisable to start the Administration server on the slave machine or do we have to [re]move the kpropd.acl file before we can start Administration server?
I would really appreciate any pointers or help.