In this procedure, a new slave KDC named kdc2 is configured. Also, incremental propagation is configured. This procedure uses the following configuration parameters:
Realm name = EXAMPLE.COM
DNS domain name = example.com
Master KDC = kdc1.example.com
Slave KDC = kdc2.example.com
admin principal = kws/admin
Before You Begin
The master KDC is configured. If this slave is to be swappable, follow the instructions in How to Swap a Master KDC and a Slave KDC.
You must assume the root role on the KDC server. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .
You must log in with one of the admin principal names that you created when you configured the master KDC.
kdc1 # /usr/sbin/kadmin -p kws/admin Enter password: xxxxxxxx kadmin:
For more information, see the kadmin(1M) man page.
For the slave to function, it must have a host principal. Note that when the principal instance is a host name, the FQDN must be specified in lowercase letters regardless of the case of the domain name in the name service.
kadmin: addprinc -randkey host/kdc2.example.com Principal "host/[email protected]" created. kadmin:
The kiprop principal is used to authorize incremental propagation from the master KDC.
kadmin: addprinc -randkey kiprop/kdc2.example.com Principal "kiprop/[email protected]" created. kadmin:
kadmin: quit
You need to add an entry for each slave. For a description of this file, see the krb5.conf(4) man page.
kdc1 # pfedit /etc/krb5/krb5.conf
.
.
[realms]
EXAMPLE.COM = {
kdc = kdc1.example.com
kdc = kdc2.example.com
admin_server = kdc1.example.com
}
This entry allows the master KDC to receive requests for incremental propagation for the kdc2 server.
kdc1 # pfedit /etc/krb5/kadm5.acl */[email protected] * kiprop/[email protected] p
kdc1 # svcadm restart network/security/kadmin
Each slave KDC must have up-to-date information about the master KDC server. You can use sftp or a similar transfer mechanism to get copies of the following files from the master KDC:
/etc/krb5/krb5.conf
/etc/krb5/kdc.conf
This information needs to be updated on all slave KDC servers.
kdc2 # pfedit /etc/krb5/kpropd.acl host/[email protected] host/[email protected]
An unmodified kadm5.acl file would look like the following example:
kdc2 # pfedit /etc/krb5/kadm5.acl */admin@___default_realm___ *
If the file has kiprop entries, remove them.
Replace the sunw_dbprop_master_ulogsize entry with an entry that defines the slave's polling interval. The following entry sets the poll time to two minutes:
kdc1 # pfedit /etc/krb5/kdc.conf
[kdcdefaults]
kdc_ports = 88,750
[realms]
EXAMPLE.COM= {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
sunw_dbprop_enable = true
sunw_dbprop_slave_poll = 2m
}
Log in with one of the admin principal names that you created when you configured the master KDC.
kdc2 # /usr/sbin/kadmin -p kws/admin Enter password: xxxxxxxx kadmin:
This entry enables the kprop command and other Kerberized applications to function. Note that when the principal instance is a host name, the FQDN must be specified in lowercase letters regardless of the case of the domain name in the name service. For more information, see the kprop(1M) man page.
kadmin: ktadd host/kdc2.example.com Entry for principal host/kdc2.example.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/kdc2.example.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/kdc2.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab. kadmin:
Adding the kiprop principal to the krb5.keytab file allows the kpropd command to authenticate itself when incremental propagation is started.
kadmin: ktadd kiprop/kdc2.example.com Entry for principal kiprop/kdc2.example.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal kiprop/kdc2.example.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal kiprop/kdc2.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab. kadmin:
kadmin: quit
kdc2 # svcadm enable network/security/krb5_prop
kdc2 # /usr/sbin/kdb5_util stash kdb5_util: Cannot find/read stored master key while reading master key kdb5_util: Warning: proceeding without master key Enter KDC database master key: xxxxxxxx
For more information, see the kdb5_util(1M) man page.
For authentication to succeed, every clock must be within the default time that is defined in the libdefaults section of the krb5.conf file. For more information, see the krb5.conf(4) man page. For information about the Network Time Protocol (NTP), see Synchronizing Clocks Between KDCs and Kerberos Clients.
kdc2 # svcadm enable network/security/krb5kdc
Next Steps
Return to the master KDC after the NTP server is installed to make the master KDC a client of the NTP server.