1 Propagate the database to each slave KDC
2 ===========================================
4 First, stop the *kadmin* service.
6 Next, create a dump file of the database on the master KDC, as follows::
8 shell% /usr/local/sbin/kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans
10 Finally, manually propagate the database to each slave KDC, as in the following example::
12 shell% /usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans kerberos-1.mit.edu
14 Database propagation to kerberos-1.mit.edu: SUCCEEDED
16 Just in case you need an additional confirmation of the successful propagation,
17 do the following on the slave:
18 - make sure that only this slave's *kdc* is listed in the *krb5.conf* file, then
19 - start *krb5kdc* on the slave server and
20 - run "kinit admin/admin\@ATHENA.MIT.EDU" which should succeed once the correct password
21 (i.e. password that was entered on the master server for this principal) is provided.
22 - now *klist* should display the message similar to "Default principal: admin/admin\@ATHENA.MIT.EDU"
25 You will need a script to dump and propagate the database. The following is an example of a bourne shell script that will do this.
27 .. note:: Remember that you need to replace */usr/local/var* with the name of the directory in which you installed Kerberos V5.
33 kdclist = "kerberos-1.mit.edu kerberos-2.mit.edu"
35 /usr/local/sbin/kdb5_util "dump /usr/local/var/krb5kdc/slave_datatrans"
39 /usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans $kdc
43 You will need to set up a cron job to run this script at the intervals you decided on earlier (See :ref:`db_prop_label` and :ref:`incr_db_prop_label`.)
44 The dump can also be used as a save file.
45 Once the operation succeeded, connect to slaves and start thier KDCs.
47 Now that the slave KDC has a copy of the Kerberos database, you can start the *krb5kdc* daemon::
49 shell% usr/local/sbin/krb5kdc
52 As with the master KDC, you will probably want to add this command to the KDCs' */etc/rc* or */etc/inittab* files,
53 so they will start the *krb5kdc* daemon automatically at boot time.
55 Once your KDCs are set up and running, you are ready to use kadmin to load principals for your users,
56 hosts, and other services into the Kerberos database.
57 This procedure is described fully in the :ref:`add_mod_del_princs_label`.
58 The keytab is generated by running kadmin and issuing the ktadd command.
62 ------------------------
64 .. _prop_failed_start:
66 .. error:: kprop: No route to host in call to connect while opening connection
68 kprop: Connection refused in call to connect while opening connection
70 kprop: Server rejected authentication (during sendauth exchange) while authenticating to server
74 #. the time is syncronized between the master-slaves participants;
75 #. master stash and keytab files (e.g. *.k5.ATHENA.MIT.EDU* and *host/kerberos-1.mit.edu\@ATHENA.MIT.EDU*) are copied from the master to the expected location on the slaves;
76 #. Kerberos database was created on the slaves prior the propagation from the master.
77 #. if *kpropd* is invoked from *inetd* (or its equivalent *xinetd*),
78 the *inetd* daemon was restarted after the configuration files
79 */etc/inetd.conf* and */etc/services* were updated;
80 #. *kpropd* is running on the slave server;
81 #. if the locations of the configuration/keytab files differ from the default ones, provide the proper environment variables and/or options to the programs;
91 Please, provide your feedback or suggest a new topic at krb5-bugs@mit.edu?subject=Documentation___install_kdc