disasters.
@end itemize
-If you have a large or complex network, @value{COMPANY} will be
-happy to work with you to determine the optimal number and placement of
-your slave KDCs.
+
@node Hostnames for the Master and Slave KDCs, Database Propagation, Slave KDCs, Realm Configuration Decisions
@section Hostnames for the Master and Slave KDCs
@subsubsection Edit the Configuration Files
Modify the configuration files, @code{/etc/krb5.conf}
-(@pxref{krb5.conf}) and @code{@value{ROOTDIR}/lib/krb5kdc/kdc.conf}
+(@pxref{krb5.conf}) and @code{@value{ROOTDIR}/var/krb5kdc/kdc.conf}
(@pxref{kdc.conf}) to reflect the correct information (such as the
hostnames and realm name) for your realm. @value{COMPANY} recommends
that you keep @code{krb5.conf} in @code{/etc}. The @code{krb5.conf}
@smallexample
@group
@b{shell%} @value{ROOTDIR}/sbin/kdb5_util create -r @value{PRIMARYREALM} -s
-@b{Initializing database '@value{ROOTDIR}/lib/krb5kdc/principal' for
+@b{Initializing database '@value{ROOTDIR}/var/krb5kdc/principal' for
@result{} realm '@value{PRIMARYREALM}',
master key name 'K/M@@@value{PRIMARYREALM}'
You will be prompted for the database Master Password.
and @code{principal.ok}; the Kerberos administrative database file,
@code{principal.kadm5}; the administrative database lock file,
@code{principal.kadm5.lock}; and the stash file, @code{.k5stash}. (The
-default directory is @code{@value{ROOTDIR}/lib/krb5kdc}.) If you do not
+default directory is @code{@value{ROOTDIR}/var/krb5kdc}.) If you do not
want a stash file, run the above command without the @code{-s} option.
@node Add Administrators to the Acl File, Add Administrators to the Kerberos Database, Create the Database, Install the Master KDC
@smallexample
@group
@b{shell%} @value{ROOTDIR}/sbin/kadmin.local
-@b{kadmin.local:} ktadd -k @value{ROOTDIR}/lib/krb5kdc/kadm5.keytab
+@b{kadmin.local:} ktadd -k @value{ROOTDIR}/var/krb5kdc/kadm5.keytab
@result{} kadmin/admin kadmin/changepw
@b{Entry for principal kadmin/admin@@@value{PRIMARYREALM} with
kvno 3, encryption type DES-CBC-CRC added to keytab
- WRFILE:@value{ROOTDIR}/lib/krb5kdc/kadm5.keytab.
+ WRFILE:@value{ROOTDIR}/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw@@@value{PRIMARYREALM} with
kvno 3, encryption type DES-CBC-CRC added to keytab
- WRFILE:@value{ROOTDIR}/lib/krb5kdc/kadm5.keytab.
+ WRFILE:@value{ROOTDIR}/var/krb5kdc/kadm5.keytab.
kadmin.local:} quit
@b{shell%}
@end group
@noindent
As specified in the @samp{-k} argument, @code{ktadd} will save the
-extracted keytab as @code{@value{ROOTDIR}/lib/krb5kdc/kadm5.keytab}.
+extracted keytab as @code{@value{ROOTDIR}/var/krb5kdc/kadm5.keytab}.
The filename you use must be the one specified in your @code{kdc.conf}
file.
The database is propagated from the master KDC to the slave KDCs via the
@code{kpropd} daemon. To set up propagation, create a file on each KDC,
-named @code{@value{ROOTDIR}/lib/krb5kdc/kpropd.acl}, containing the
+named @code{@value{ROOTDIR}/var/krb5kdc/kpropd.acl}, containing the
principals for each of the KDCs.
@need 1200
For example, if the master KDC were
@smallexample
@group
-@b{shell%} @value{ROOTDIR}/sbin/kdb5_util dump @value{ROOTDIR}/lib/krb5kdc/slave_datatrans
+@b{shell%} @value{ROOTDIR}/sbin/kdb5_util dump @value{ROOTDIR}/var/krb5kdc/slave_datatrans
@b{shell%}
@end group
@end smallexample
@smallexample
@group
-@value{ROOTDIR}/sbin/kprop -f @value{ROOTDIR}/lib/krb5kdc/slave_datatrans
+@value{ROOTDIR}/sbin/kprop -f @value{ROOTDIR}/var/krb5kdc/slave_datatrans
@result{} @value{KDCSLAVE1}.@value{PRIMARYDOMAIN}
-@value{ROOTDIR}/sbin/kprop -f @value{ROOTDIR}/lib/krb5kdc/slave_datatrans
+@value{ROOTDIR}/sbin/kprop -f @value{ROOTDIR}/var/krb5kdc/slave_datatrans
@result{} @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}
@end group
@end smallexample
kdclist = "@value{KDCSLAVE1}.@value{PRIMARYDOMAIN} @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}"
@value{ROOTDIR}/sbin/kdb5_util -R "dump
-@result{} @value{ROOTDIR}/lib/krb5kdc/slave_datatrans"
+@result{} @value{ROOTDIR}/var/krb5kdc/slave_datatrans"
for kdc in $kdclist
do
-@value{ROOTDIR}/sbin/kprop -f @value{ROOTDIR}/lib/krb5kdc/slave_datatrans $kdc
+@value{ROOTDIR}/sbin/kprop -f @value{ROOTDIR}/var/krb5kdc/slave_datatrans $kdc
done
@end group
@end smallexample
#
krb5_prop stream tcp nowait root @value{ROOTDIR}/sbin/kpropd kpropd
eklogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind
-@result{} klogind -k -c -e
+@result{} klogind -5 -c -e
@end group
@end smallexample
@smallexample
@group
@b{shell%} kdb5_edit -r @value{PRIMARYREALM} -R 'dump_db' >
-@result{} @value{ROOTDIR}/lib/krb5kdc/old-kdb-dump
+@result{} @value{ROOTDIR}/var/krb5kdc/old-kdb-dump
@b{shell%}
@end group
@end smallexample
@smallexample
@group
@b{shell%} ovsec_adm_export -r @value{PRIMARYREALM} >
-@result{} @value{ROOTDIR}/lib/krb5kdc/old-adb-dump
+@result{} @value{ROOTDIR}/var/krb5kdc/old-adb-dump
@b{shell%}
@end group
@end smallexample
@smallexample
@group
-@b{shell%} kdb5_util load @value{ROOTDIR}/lib/krb5kdc/old-kdb-dump
+@b{shell%} kdb5_util load @value{ROOTDIR}/var/krb5kdc/old-kdb-dump
@b{shell%}
@end group
@end smallexample
@smallexample
@group
-@b{shell%} kdb5_util load -update @value{ROOTDIR}/lib/krb5kdc/old-adb-dump
+@b{shell%} kdb5_util load -update @value{ROOTDIR}/var/krb5kdc/old-adb-dump
@b{shell%}
@end group
@end smallexample
As stated earlier in this section, @value{COMPANY} recommends that on a
secure host, you disable the standard @code{ftp}, @code{login},
@code{telnet}, @code{shell}, and @code{exec} services in
-@code{/etc/services}. We also recommend that secure hosts have an empty
+@code{/etc/inetd.conf}. We also recommend that secure hosts have an empty
@code{/etc/hosts.equiv} file and that there not be a @code{.rhosts} file
in @code{root}'s home directory. You can grant Kerberos-authenticated
root access to specific Kerberos principals by placing those principals
@smallexample
@group
[kdc]
- profile = @value{ROOTDIR}/lib/krb5kdc/kdc.conf
+ profile = @value{ROOTDIR}/var/krb5kdc/kdc.conf
[logging]
- kdc = FILE:/dev/ttyp9
- admin_server = FILE:/dev/ttyp9
- default = FILE:/dev/ttyp9
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmin.log
+ default = FILE:/var/log/krb5lib.log
@end group
@end smallexample
[realms]
@value{PRIMARYREALM} = @{
profile = /etc/krb5.conf
- database_name = @value{ROOTDIR}/lib/krb5kdc/principal
- admin_database_name = @value{ROOTDIR}/lib/krb5kdc/principal.kadm5
- admin_database_lockfile = @value{ROOTDIR}/lib/krb5kdc/principal.kadm5.lock
- admin_keytab = @value{ROOTDIR}/lib/krb5kdc/kadm5.keytab
- acl_file = @value{ROOTDIR}/lib/krb5kdc/kadm5.acl
- dict_file = @value{ROOTDIR}/lib/krb5kdc/kadm5.dict
- key_stash_file = @value{ROOTDIR}/lib/krb5kdc/.k5.@value{PRIMARYREALM}
+ database_name = @value{ROOTDIR}/var/krb5kdc/principal
+ admin_database_name = @value{ROOTDIR}/var/krb5kdc/principal.kadm5
+ admin_database_lockfile = @value{ROOTDIR}/var/krb5kdc/principal.kadm5.lock
+ admin_keytab = @value{ROOTDIR}/var/krb5kdc/kadm5.keytab
+ acl_file = @value{ROOTDIR}/var/krb5kdc/kadm5.acl
+ dict_file = @value{ROOTDIR}/var/krb5kdc/kadm5.dict
+ key_stash_file = @value{ROOTDIR}/var/krb5kdc/.k5.@value{PRIMARYREALM}
kadmind_port = 749
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s