Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

 
Updated: August 2014
 
 

How to Reconfigure a Master KDC to Use Incremental Propagation

    The steps in this procedure can be used to reconfigure an existing master KDC to use incremental propagation. This procedure uses the following configuration parameters:

  • Realm name = EXAMPLE.COM

  • DNS domain name = example.com

  • Master KDC = kdc1.example.com

  • Slave KDC = kdc2.example.com

  • admin principal = kws/admin

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

  1. Add entries to kdc.conf.

    You need to enable incremental propagation and select the number of updates the KDC master keeps in the log. For more information, see the kdc.conf(4) man page.

    kdc1 # pfedit /etc/krb5/kdc.conf
[kdcdefaults]
kdc_ports = 88,750

[realms]
EXAMPLE.COM= {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
sunw_dbprop_enable = true
sunw_dbprop_master_ulogsize = 1000
}
  2. Create the kiprop principal.

    The kiprop principal is used to authenticate the master KDC server and to authorize updates from the master KDC.

    kdc1 # /usr/sbin/kadmin -p kws/admin
Enter password: xxxxxxxx
kadmin: addprinc -randkey kiprop/kdc1.example.com
Principal "kiprop/kdc1.example.com@EXAMPLE.COM" created.
kadmin: addprinc -randkey kiprop/kdc2.example.com
Principal "kiprop/kdc2.example.com@EXAMPLE.COM" created.
kadmin:
  3. On the master KDC, add a kiprop entry to kadm5.acl.

    This entry allows the master KDC to receive requests for incremental propagation from the kdc2 server.

    kdc1 # pfedit /etc/krb5/kadm5.acl
*/admin@EXAMPLE.COM *
kiprop/kdc2.example.com@EXAMPLE.COM p
  4. Comment out the kprop line in the root crontab file.

    This step prevents the master KDC from propagating its copy of the KDC database.

    kdc1 # crontab -e
#ident  "@(#)root       1.20    01/11/06 SMI"
#
# The root crontab should be used to perform accounting data collection.
#
# The rtc command is run to adjust the real time clock if and when
# daylight savings time changes.
#
10 3 * * * /usr/sbin/logadm
15 3 * * 0 /usr/lib/fs/nfs/nfsfind
1 2 * * * [ -x /usr/sbin/rtc ] && /usr/sbin/rtc -c > /dev/null 2>&1
30 3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean
#10 3 * * * /usr/lib/krb5/kprop_script kdc2.example.com
  5. Restart kadmind. 
    kdc1 # svcadm restart network/security/kadmin
  6. Reconfigure all slave KDC servers that use incremental propagation.

    For complete instructions, see How to Reconfigure a Slave KDC to Use Incremental Propagation.

Copyright © 2002, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous
Next