Finally, any principal with an *admin* instance in *EXAMPLE.COM* has *all* permissions,
but any principal that they create or modify will not be able to get *postdateable* tickets or tickets with a life of longer than 9 hours.
+.. warning:: If the *kadmind*'s ACL file is modified, the *kadmind* daemon needs to be restarted for changes to take effect.
+
------------
Feedback:
+.. _addadmin_kdb:
+
Add administrators to the Kerberos database
===============================================
kadmin.local: addprinc admin/admin@ATHENA.MIT.EDU
- NOTICE: no policy specified for "admin/admin@ATHENA.MIT.EDU";
+ WARNING: no policy specified for "admin/admin@ATHENA.MIT.EDU";
assigning "default".
Enter password for principal admin/admin@ATHENA.MIT.EDU: <= Enter a password.
Re-enter password for principal admin/admin@ATHENA.MIT.EDU: <= Type it again.
(These principals are placed in the Kerberos database automatically when you create it.)
To create the *kadmin* keytab, run *kadmin.local* and use the :ref:`ktadd` command, as in the following example::
- shell% /usr/local/sbin/admin.local
+ shell% /usr/local/sbin/kadmin.local
kadmin.local: ktadd -k /usr/local/var/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw
Entry for principal kadmin/admin with kvno 5, encryption
Database propagation to kerberos-1.mit.edu: SUCCEEDED
+Just in case you need an additional confirmation of the successful propagation,
+do the following on the slave:
+ - make sure that only this slave's *kdc* is listed in the *krb5.conf* file, then
+ - start *krb5kdc* on the slave server and
+ - run "kinit admin/admin\@ATHENA.MIT.EDU" which should succeed once the correct password
+ (i.e. password that was entered on the master server for this principal) is provided.
+ - now *klist* should display the message similar to "Default principal: admin/admin\@ATHENA.MIT.EDU"
+
You will need a script to dump and propagate the database. The following is an example of a bourne shell script that will do this.
-.. note:: Remember that you need to replace */usr/local* with the name of the directory in which you installed Kerberos V5.
+.. note:: Remember that you need to replace */usr/local/var* with the name of the directory in which you installed Kerberos V5.
::
Propagation failed?
------------------------
-
-If propagation failed with a loud:
-
.. _prop_failed_start:
-.. error:: kprop: Connection refused in call to connect while opening connection
-
-it means that *kprop* did not manage to contact *kpropd* on the remote slave KDC.
-
-This will occur if you set restrictive access rules with a firewall, or if *kpropd* did not start upon connection.
-
-The propagation is done through a tcp stream on port 754. Usually, *kpropd* is not a daemon running on its own:
-it is started by *inetd* (or its equivalent *xinetd*). However, many systems do not register *kpropd* as a service in their *inetd* database.
-
-You can launch *kpropd* by two different means: either by starting it during boot up with the **-S** argument (see :ref:`kpropd(8)` for details),
-or register *kprop* as a potential services to *inetd*.
-
-To register *kpropd*, it depends on whether your are using inetd or its more sophisticated equivalent *xinetd*.
-First, edit */etc/services*, and look for *kprop* service; the line should look like this::
-
- kprop 754/tcp
-
-If you did not find it, please add it to the bottom of the file. Save and close.
-
-
-Now we should edit */etc/inetd.conf* (see below for *xinetd*), and add the following line to setup the database propagation daemon ::
-
- kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
-
-Please note that the path to executable may vary from one system to another. Save and close *inetd.conf*, and restart *inetd*::
-
- \# /etc/rc.d/inetd restart
-
-
-All config file for *xinetd* resides in the */etc/xinetd.d* directory. We must add the *kprop* config file, so that *xinetd* knows its existence.
-Create and edit the */etc/xinetd.d/kpropd* file ::
-
- service kprop
- {
- socket_type = stream
- wait = no
- user = root
- server = /usr/local/sbin/kpropd
- only_from = 0.0.0.0 # Allow anybody to connect to it. Restrictions may apply here.
- log_on_success = PID HOST EXIT DURATION
- log_on_failure = PID HOST
- }
+.. error:: kprop: No route to host in call to connect while opening connection
-Save and close the file, and restart *xinetd*::
+ kprop: Connection refused in call to connect while opening connection
- \# /etc/init.d/xinetd restart
+ kprop: Server rejected authentication (during sendauth exchange) while authenticating to server
-You should now be able to propagate the dumps from master to slave.
+Make sure that
+#. the time is syncronized between the master-slaves participants;
+#. master stash and keytab files (e.g. *.k5.ATHENA.MIT.EDU* and *host/kerberos-1.mit.edu\@ATHENA.MIT.EDU*) are copied from the master to the expected location on the slaves;
+#. Kerberos database was created on the slaves prior the propagation from the master.
+#. if *kpropd* is invoked from *inetd* (or its equivalent *xinetd*),
+ the *inetd* daemon was restarted after the configuration files
+ */etc/inetd.conf* and */etc/services* were updated;
+#. *kpropd* is running on the slave server;
+#. if the locations of the configuration/keytab files differ from the default ones, provide the proper environment variables and/or options to the programs;
.. _prop_failed_end:
Start the Kerberos daemons on the master KDC
===============================================
-At this point, you are ready to start the Kerberos KDC and administrative daemons on the Master KDC. To do so, type::
+At this point, you are ready to start the Kerberos KDC (:ref:`krb5kdc(8)`) and
+administrative daemons on the Master KDC. To do so, type::
shell% /usr/local/sbin/krb5kdc
shell% /usr/local/sbin/kadmind
you can add them to the KDC's */etc/rc* or */etc/inittab* file.
You need to have a :ref:`stash_definition` in order to do this.
+
+
You can verify that they started properly by checking for their startup messages in the logging locations
you defined in */etc/krb5.conf*. (See :ref:`logging`).
For example::
Any errors the daemons encounter while starting will also be listed in the logging output.
+As an additional verification, check if *kinit* succeeds against the principals that
+you have created on the previous step (:ref:`addadmin_kdb`). Run::
+
+ shell% /usr/local/bin/kinit admin/admin@ATHENA.MIT.EDU
+
+
You are now ready to start configuring the slave KDCs.
.. note:: Assuming you are setting the KDCs up so that you can easily switch the master KDC with one of the slaves,
and this section will explain those.
For more information on Kerberos V5 configuration files see :ref:`krb5.conf` and :ref:`kdc.conf`.
+If the locations for these configuration files differs from the default ones,
+set *KRB5_CONFIG* and *KRB5_KDC_PROFILE* environment variables to point to the
+*krb5.conf* and *kdc.conf* respectively.
+For example::
+
+ export KRB5_CONFIG=/yourdir/krb5.conf
+ export KRB5_KDC_PROFILE=/yourdir/kdc.conf
+
*krb5.conf*
-------------
[libdefaults]
default_realm = ATHENA.MIT.EDU
+ # if the default location does not suit your setup,
+ # explicitly configure the keytab location:
+ # default_keytab_name = FILE:/var/krb5kdc/krb5.keytab
[realms]
ATHENA.MIT.EDU = {
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal aes128-cts-hmac-sha1-96:normal
+ # if the default location does not suit your setup,
+ # explicitly configure the following four values:
+ # database_name = /var/krb5kdc/principal
+ # key_stash_file = /var/krb5kdc/.k5.ATHENA.MIT.EDU
+ # admin_keytab = FILE:/var/krb5kdc/kadm5.keytab
+ # acl_file = /var/krb5kdc/kadm5.acl
}
-Replace *ATHENA.MIT.EDU* and *kerberos.mit.edu* with the name of your Kerberos realm and server respectively.
+Replace *ATHENA.MIT.EDU* and *kerberos.mit.edu* with the name of your Kerberos *realm* and *server* respectively.
+
+.. note:: You have to have write permission on the target directories
+ (these directories must exist) used by
+ *database_name, key_stash_file, admin_keytab* and *acl_file*
+
+
------------
For example, if the master KDC were called *kerberos.mit.edu*, and you had slave KDC named *kerberos-1.mit.edu*,
you would type the following::
- shell% /usr/local/sbin/kadmin
+ shell% /usr/local/bin/kadmin
kadmin: addprinc -randkey host/kerberos.mit.edu
NOTICE: no policy specified for "host/kerberos.mit.edu@ATHENA.MIT.EDU"; assigning "default"
Principal "host/kerberos.mit.edu@ATHENA.MIT.EDU" created.
You will now initialize the slave database::
- kdb5_util create
+ shell% /usr/local/sbin/kdb5_util create
+
+.. caution:: You will use :ref:`kdb5_util(8)` but without exporting the stash file (-s argument), i
+ thus avoiding the obliteration of the one you just copied from the master.
-Caution: you will use :ref:`kdb5_util(8)` but without exporting the stash file (-s argument), i
-thus avoiding the obliteration of the one you just copied from the master.
When asking for the database Master Password, type in anything you want.
The whole dummy database will be erased upon the first propagation from master.
Then, add the following line to */etc/inetd.conf* file on each KDC (Adjust the path to *kpropd*)::
krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd
+ eklogin stream tcp nowait root /usr/local/sbin/klogind klogind -5 -c -e
+
You also need to add the following lines to */etc/services* on each KDC (assuming that default ports are used)::
krb5_prop 754/tcp # Kerberos slave propagation
kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp)
kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp)
-
-.. note:: Do not start slave KDC - you still do not have a copy of the master's database.
+
+Restart *inetd* daemon.
+
+
+Alternatively, start :ref:`kpropd(8)` as a stand-alone daemon "kpropd -S" or,
+if the default locations must be overridden,::
+
+ shell% /usr/local/sbin/kpropd -S -a path-to-kpropd.acl -r ATHENA.MIT.EDU -f /var/krb5kdc/from_master
+
+ waiting for a kprop connection
Now that the slave KDC is able to accept database propagation, you’ll need to propagate the database from the master server.
+NOTE: Do not start slave KDC - you still do not have a copy of the master's database.
+
------------
6. Rebuild Sphinx source. From the *trunk/doc/rst_source* run::
- sphinx-build . output_dir
+ sphinx-build . output_dir
.. _Part_B:
+About this project
+======================
.. toctree::
:maxdepth: 1