Updated the documentation for the propagation

[krb5.git] / doc / rst_source / krb_admins / install_kdc / kdc_prop_slave.rst

Propagate the database to each slave KDC
===========================================

First, stop the *kadmin* service.

Next, create a dump file of the database on the master KDC, as follows::

      shell% /usr/local/sbin/kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans
    
Finally, manually propagate the database to each slave KDC, as in the following example::

     shell% /usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans kerberos-1.mit.edu

     Database propagation to kerberos-1.mit.edu: SUCCEEDED

Just in case you need an additional confirmation of the successful propagation, 
do the following on the slave:
    - make sure that only this slave's *kdc* is listed in the *krb5.conf* file, then
    - start *krb5kdc* on the slave server and
    - run "kinit  admin/admin\@ATHENA.MIT.EDU" which should succeed once the correct password 
      (i.e. password that was entered on the master server for this principal) is provided.
    - now *klist* should display the message similar to  "Default principal: admin/admin\@ATHENA.MIT.EDU"


You will need a script to dump and propagate the database. The following is an example of a bourne shell script that will do this. 

.. note:: Remember that you need to replace */usr/local/var* with the name of the directory in which you installed Kerberos V5.

::

     #!/bin/sh
     
     kdclist = "kerberos-1.mit.edu kerberos-2.mit.edu"
     
     /usr/local/sbin/kdb5_util "dump /usr/local/var/krb5kdc/slave_datatrans"
     
     for kdc in $kdclist
     do
     /usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans $kdc
     done
     

You will need to set up a cron job to run this script at the intervals you decided on earlier (See :ref:`db_prop_label` and :ref:`incr_db_prop_label`.) 
The dump can also be used as a save file. 
Once the operation succeeded, connect to slaves and start thier KDCs.

Now that the slave KDC has a copy of the Kerberos database, you can start the *krb5kdc* daemon::

    shell% usr/local/sbin/krb5kdc
     

As with the master KDC, you will probably want to add this command to the KDCs' */etc/rc* or */etc/inittab* files, 
so they will start the *krb5kdc* daemon automatically at boot time.

Once your KDCs are set up and running, you are ready to use kadmin to load principals for your users, 
hosts, and other services into the Kerberos database. 
This procedure is described fully in the :ref:`add_mod_del_princs_label`. 
The keytab is generated by running kadmin and issuing the ktadd command.


Propagation failed?
------------------------

.. _prop_failed_start: 

.. error:: kprop:  No route to host in call to connect while opening connection

           kprop:  Connection refused in call to connect while opening connection

           kprop:  Server rejected authentication (during sendauth exchange) while authenticating to server 

Make sure that

#. the time is syncronized between the master-slaves participants;
#. master stash and keytab files (e.g. *.k5.ATHENA.MIT.EDU* and *host/kerberos-1.mit.edu\@ATHENA.MIT.EDU*) are copied from the master to the expected location on the slaves; 
#. Kerberos database was created on the slaves prior the propagation from the master.  
#. if *kpropd* is invoked from *inetd* (or its equivalent *xinetd*),
   the *inetd* daemon was restarted after the configuration files
   */etc/inetd.conf* and */etc/services* were updated;
#. *kpropd* is running on the slave server; 
#. if the locations of the configuration/keytab files differ from the default ones, provide the proper environment variables and/or options to the programs;

.. _prop_failed_end: 



------------

Feedback:

Please, provide your feedback or suggest a new topic at krb5-bugs@mit.edu?subject=Documentation___install_kdc