1 .. note:: This document was copied from **Kerberos V5 Installation
2 Guide** with minor changes. Currently it is under
3 review. Please, send your feedback, corrections and
4 additions to krb5-bugs@mit.edu. Your contribution is greatly
11 When setting up Kerberos in a production environment, it is best to
12 have multiple slave KDCs alongside with a master KDC to ensure the
13 continued availability of the Kerberized services. Each KDC contains
14 a copy of the Kerberos database. The master KDC contains the writable
15 copy of the realm database, which it replicates to the slave KDCs at
16 regular intervals. All database changes (such as password changes)
17 are made on the master KDC. Slave KDCs provide Kerberos
18 ticket-granting services, but not database administration, when the
19 master KDC is unavailable. MIT recommends that you install all of
20 your KDCs to be able to function as either the master or one of the
21 slaves. This will enable you to easily switch your master KDC with
22 one of the slaves if necessary (see :ref:`switch_master_slave`). This
23 installation procedure is based on that recommendation.
26 - The Kerberos system relies on the availability of correct time
27 information. Ensure that the master and all slave KDCs have
28 properly synchronized clocks.
30 - It is best to install and run KDCs on secured and dedicated
31 hardware with limited access. If your KDC is also a file
32 server, FTP server, Web server, or even just a client machine,
33 someone who obtained root access through a security hole in any
34 of those areas could potentially gain access to the Kerberos
38 Install and configure the master KDC
39 ------------------------------------
41 Install Kerberos either from the OS-provided packages or from the
42 source (See :ref:`do_build`).
44 .. note:: For the purpose of this document we will use the following
47 kerberos.mit.edu - master KDC
48 kerberos-1.mit.edu - slave KDC
49 ATHENA.MIT.EDU - realm name
50 .k5.ATHENA.MIT.EDU - stash file
51 admin/admin - admin principal
53 See :ref:`mitK5defaults` for the default names and locations
54 of the relevant to this topic files. Adjust the names and
55 paths to your system environment.
67 Install the Slave KDCs
68 ----------------------
70 You are now ready to start configuring the slave KDCs.
72 .. note:: Assuming you are setting the KDCs up so that you can easily
73 switch the master KDC with one of the slaves, you should
74 perform each of these steps on the master KDC as well as the
75 slave KDCs, unless these instructions specify otherwise.
83 Once your KDCs are set up and running, you are ready to use
84 :ref:`kadmin(1)` to load principals for your users, hosts, and other
85 services into the Kerberos database. This procedure is described
86 fully in :ref:`add_mod_del_princs`.
88 You may occasionally want to use one of your slave KDCs as the master.
89 This might happen if you are upgrading the master KDC, or if your
90 master KDC has a disk crash. See the following section for the
94 Switching Master and Slave KDCs
95 -------------------------------
100 switch_master_slave.rst
103 Incremental database propagation
104 --------------------------------
109 ../database/incr_db_prop.rst
115 Please, provide your feedback or suggest a new topic at
116 krb5-bugs@mit.edu?subject=Documentation___install_kdc
projects / krb5.git / blob