Search code examples
linuxcentosredhatkerberosmit-kerberos

Kerberos master-slave setup : Database propagation, and KDC & KADMIN switching

I am trying to setup Kerberos on Redhat with slaves and database propagation (not incremental). I am going through MIT's documentation for KDC installation and configuration. Currently, I have three doubts/issues:

  1. Do we need kpropd running on slave KDC, even if we do not have incremental propagation ?

    I started xinetd service, and tried propagating database (without starting kpropd, as I have not configured incremental propagation), and it gave me an error:

    kprop: Connection refused while connecting to server

    However, when I started kpropd in the same setup without any configuration change, I was able to successfully propagate the database.

    As per the document, it says

    [Re]start inetd daemon. Alternatively, start kpropd as a stand-alone daemon. This is required when incremental propagation is enabled.

    I went through MIT's Troubleshooting page as well, and it said the same, i.e. inetd can run kprop.

    My inetd.conf:

    krb5_prop stream tcp nowait root /usr/sbin/kpropd kpropd

  2. Do we need to add Kerberos Administration Server (admin_server) for slave KDC in krb5.conf? OR In other words, can we have more than one admin_server properties configured in krb5.conf?

    Since we are configuring a master-slave setup and can switch to a slave KDC creating it a new master at any point of time. We would need to start a Kerberos Administration Server (kadmind) on the new master, as well. Do we need to have hosts for both the admin servers listed in the krb5.conf file?

    I tried adding both the hosts, but it turns out that this property only picks the last configured one.

    My krb5.conf looks like:

    [libdefaults]
default_realm = KRB.MY.DOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 1h
renew_lifetime = 2h
forwardable = true

[realms]
KRB.MY.DOMAIN = {
kdc = old-master-host.my.domain
kdc = new-master-host.my.domain
admin_server = old-master-host.my.domain
admin_server = new-master-host.my.domain
}

[domain_realm]
.my.domain = KRB.MY.DOMAIN

    In such a case, admin server would be looked only at new-master-host.my.domain, even if it is running on old-master-host.my.domain.

  3. Can we start Kerberos Administration Server on a slave KDC machine, as specified in MIT documentation?

    I tried starting Kerberos Administration Server (kadmind) on my new master and I got an error:

    Error. This appears to be a slave server, found kpropd.acl

    Is it not advisable to start the Administration server on the slave machine or do we have to [re]move the kpropd.acl file before we can start Administration server?

I would really appreciate any pointers or help.

Solution

  • Answers to your questions:

    1. Yes you need to have kpropd and krb5kdc services running on Secondary KDC server.
    2. There is no need to setup second admin server in Master-Secondary KDC setup. You may copy krb5.conf and kdc.conf files from Master KDC to Secondary KDC.
    3. You cannot start kadmind on Secondary KDC server if you have kpropd service running.

    I've used this RH Documentation page to setup Master-Secondary KDC servers: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Configuring_a_Kerberos_5_Server.html