How to Manually Configure a Slave KDC

In this procedure, a new slave KDC named kdc2 is configured. Also, incremental propagation is configured. This procedure uses the following configuration parameters:

• Realm name = EXAMPLE.COM

• DNS domain name = example.com

• Master KDC = kdc1.example.com

• Slave KDC = kdc2.example.com

• admin principal = kws/admin

Before You Begin

The master KDC is configured. If this slave is to be swappable, follow the instructions in How to Swap a Master KDC and a Slave KDC.

You must assume the root role on the KDC server. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

1. On the master KDC, start kadmin.

   You must log in with one of the admin principal names that you created when you configured the master KDC.

   kdc1 # /usr/sbin/kadmin -p kws/admin
   Enter password: xxxxxxxx
   kadmin: 

   For more information, see the kadmin(1M) man page.

   1. On the master KDC, add slave host principals to the database, if not already done.

      For the slave to function, it must have a host principal. Note that when the principal instance is a host name, the FQDN must be specified in lowercase letters regardless of the case of the domain name in the name service.

      kadmin: addprinc -randkey host/kdc2.example.com
      Principal "host/kdc2.example.com@EXAMPLE.COM" created.
      kadmin: 

   2. On the master KDC, create the principal for incremental propagation.

      The kiprop principal is used to authorize incremental propagation from the master KDC.

      kadmin: addprinc -randkey kiprop/kdc2.example.com
      Principal "kiprop/kdc2.example.com@EXAMPLE.COM" created.
      kadmin:

   3. Quit kadmin.

      kadmin: quit

2. On the master KDC, edit the Kerberos configuration file, krb5.conf.

   You need to add an entry for each slave. For a description of this file, see the krb5.conf(4) man page.

   kdc1 # pfedit /etc/krb5/krb5.conf
   .
   .
   [realms]
   EXAMPLE.COM = {
   kdc = kdc1.example.com
   kdc = kdc2.example.com
   admin_server = kdc1.example.com
   }

3. On the master KDC, add a kiprop entry to kadm5.acl.

   This entry allows the master KDC to receive requests for incremental propagation for the kdc2 server.

   kdc1 # pfedit /etc/krb5/kadm5.acl
   */admin@EXAMPLE.COM *
   kiprop/kdc2.example.com@EXAMPLE.COM p

4. On the master KDC, restart the kadmin service to use the new entries in the kadm5.acl file.

   kdc1 # svcadm restart network/security/kadmin

5. On all slave KDCs, copy the KDC administration files from the master KDC server.

   Each slave KDC must have up-to-date information about the master KDC server. You can use sftp or a similar transfer mechanism to get copies of the following files from the master KDC:

   • /etc/krb5/krb5.conf

   • /etc/krb5/kdc.conf

6. On all slave KDCs, add an entry for the master KDC and each slave KDC into the database propagation configuration file, kpropd.acl.

   This information needs to be updated on all slave KDC servers.

   kdc2 # pfedit /etc/krb5/kpropd.acl
   host/kdc1.example.com@EXAMPLE.COM
   host/kdc2.example.com@EXAMPLE.COM

7. On all slave KDCs, make sure that the Kerberos access control list file, kadm5.acl, is not populated.

   An unmodified kadm5.acl file would look like the following example:

   kdc2 # pfedit /etc/krb5/kadm5.acl
   */admin@___default_realm___ *

   If the file has kiprop entries, remove them.

8. On the new slave, define its polling interval in the kdc.conf file.

   Replace the sunw_dbprop_master_ulogsize entry with an entry that defines the slave's polling interval. The following entry sets the poll time to two minutes:

   kdc1 # pfedit /etc/krb5/kdc.conf
   [kdcdefaults]
   kdc_ports = 88,750
   
   [realms]
   EXAMPLE.COM= {
   profile = /etc/krb5/krb5.conf
   database_name = /var/krb5/principal
   acl_file = /etc/krb5/kadm5.acl
   kadmind_port = 749
   max_life = 8h 0m 0s
   max_renewable_life = 7d 0h 0m 0s
   sunw_dbprop_enable = true
   sunw_dbprop_slave_poll = 2m
   }

9. On the new slave, start the kadmin command.

   Log in with one of the admin principal names that you created when you configured the master KDC.

   kdc2 # /usr/sbin/kadmin -p kws/admin
   Enter password: xxxxxxxx
   kadmin: 

   1. Add the slave's host principal to the slave's keytab file by using kadmin.

      This entry enables the kprop command and other Kerberized applications to function. Note that when the principal instance is a host name, the FQDN must be specified in lowercase letters regardless of the case of the domain name in the name service. For more information, see the kprop(1M) man page.

      kadmin: ktadd host/kdc2.example.com
      Entry for principal host/kdc2.example.com with kvno 3, encryption type AES-256 CTS mode
      with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal host/kdc2.example.com with kvno 3, encryption type AES-128 CTS mode
      with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal host/kdc2.example.com with kvno 3, encryption type Triple DES cbc
      mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
      kadmin: 

   2. Add the kiprop principal to the slave KDC's keytab file.

      Adding the kiprop principal to the krb5.keytab file allows the kpropd command to authenticate itself when incremental propagation is started.

      kadmin: ktadd kiprop/kdc2.example.com
      Entry for principal kiprop/kdc2.example.com with kvno 3, encryption type AES-256 CTS mode
      with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal kiprop/kdc2.example.com with kvno 3, encryption type AES-128 CTS mode
      with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal kiprop/kdc2.example.com with kvno 3, encryption type Triple DES cbc
      mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
      kadmin: 

   3. Quit kadmin.

      kadmin: quit

10. On the new slave, start the Kerberos propagation daemon.

    kdc2 # svcadm enable network/security/krb5_prop

11. On the new slave, create a stash file by using the kdb5_util command.

    kdc2 # /usr/sbin/kdb5_util stash
    kdb5_util: Cannot find/read stored master key while reading master key
    kdb5_util: Warning: proceeding without master key
    
    Enter KDC database master key: xxxxxxxx

    For more information, see the kdb5_util(1M) man page.

12. Synchronize this system's clock with other clocks in the realm by using NTP or another mechanism.

    For authentication to succeed, every clock must be within the default time that is defined in the libdefaults section of the krb5.conf file. For more information, see the krb5.conf(4) man page. For information about the Network Time Protocol (NTP), see Synchronizing Clocks Between KDCs and Kerberos Clients.

13. On the new slave, start the KDC daemon.

    kdc2 # svcadm enable network/security/krb5kdc

Next Steps

Return to the master KDC after the NTP server is installed to make the master KDC a client of the NTP server.