Propagate the database to each slave KDC =========================================== First, stop the kadmin service. Next, create a dump file of the database on the master KDC, as follows:: shell% /usr/local/sbin/kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans Finally, manually propagate the database to each slave KDC, as in the following example:: shell% /usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans kerberos-1.mit.edu Database propagation to kerberos-1.mit.edu: SUCCEEDED Just in case you need an additional confirmation of the successful propagation, do the following on the slave: * make sure that only this slave's kdc is listed in the :ref:`krb5.conf(5)` file, then * start :ref:`krb5kdc(8)` on the slave server and * run ``kinit admin/admin@ATHENA.MIT.EDU`` which should succeed once the correct password (i.e. password that was entered on the master server for this principal) is provided. * now :ref:`klist(1)` should display the message similar to ``Default principal: admin/admin@ATHENA.MIT.EDU`` You will need a script to dump and propagate the database. The following is an example of a bourne shell script that will do this. .. note:: Remember that you need to replace ``/usr/local/var`` with the name of the directory in which you installed Kerberos V5. :: #!/bin/sh kdclist = "kerberos-1.mit.edu kerberos-2.mit.edu" /usr/local/sbin/kdb5_util "dump /usr/local/var/krb5kdc/slave_datatrans" for kdc in $kdclist do /usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans $kdc done You will need to set up a cron job to run this script at the intervals you decided on earlier (See :ref:`db_prop_label` and :ref:`incr_db_prop_label`.) The dump can also be used as a save file. Once the operation succeeded, connect to slaves and start thier KDCs. Now that the slave KDC has a copy of the Kerberos database, you can start the krb5kdc daemon:: shell% usr/local/sbin/krb5kdc As with the master KDC, you will probably want to add this command to the KDCs' ``/etc/rc`` or ``/etc/inittab`` files, so they will start the krb5kdc daemon automatically at boot time. Once your KDCs are set up and running, you are ready to use :ref:`kadmin(1)` to load principals for your users, hosts, and other services into the Kerberos database. This procedure is described fully in the :ref:`add_mod_del_princs_label`. The keytab is generated by running kadmin and issuing the ktadd command. Propagation failed? ------------------- .. _prop_failed_start: .. error:: kprop: No route to host in call to connect while opening connection kprop: Connection refused in call to connect while opening connection kprop: Server rejected authentication (during sendauth exchange) while authenticating to server Make sure that: #. the time is syncronized between the master-slaves participants; #. master stash and keytab files (e.g. ``.k5.ATHENA.MIT.EDU`` and ``host/kerberos-1.mit.edu@ATHENA.MIT.EDU``) are copied from the master to the expected location on the slaves; #. Kerberos database was created on the slaves prior the propagation from the master. #. if :ref:`kpropd(8)` is invoked from inetd (or its equivalent xinetd), the inetd daemon was restarted after the configuration files ``/etc/inetd.conf`` and ``/etc/services`` were updated; #. kpropd is running on the slave server; #. if the locations of the configuration/keytab files differ from the default ones, provide the proper environment variables and/or options to the programs; .. _prop_failed_end: Feedback -------- Please, provide your feedback or suggest a new topic at krb5-bugs@mit.edu?subject=Documentation___install_kdc