How to Swap a Master KDC and a Slave KDC

Language:

In this procedure, the master KDC server that is being swapped out is named kdc1. The slave KDC that will become the new master KDC is named kdc4. This procedure assumes that you are using incremental propagation.

Before You Begin

Complete the procedure How to Configure a Swappable Slave KDC.

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

On the new master KDC, start kadmin.

kdc4 # /usr/sbin/kadmin -p kws/admin
Enter password: xxxxxxxx
kadmin:

Create new principals for the kadmind service.

The following example shows the first addprinc command on two lines, but it should be typed on one line.

kadmin: addprinc -randkey -allow_tgs_req +password_changing_service -clearpolicy \
changepw/kdc4.example.com
Principal "changepw/kdc4.example.com@EXAMPLE.COM" created.
kadmin: addprinc -randkey -allow_tgs_req -clearpolicy kadmin/kdc4.example.com
Principal "kadmin/kdc4.example.com@EXAMPLE.COM" created.
kadmin:

Quit kadmin.
```
kadmin: quit
```
On the new master KDC, force synchronization.
The following steps force a full KDC update on the slave server.
1. Disable the krb5kdc service and remove its log file.
```
kdc4 # svcadm disable network/security/krb5kdc
kdc4 # rm /var/krb5/principal.ulog
```
2. Verify that the update is complete.
```
kdc4 # /usr/sbin/kproplog -h
```
3. Restart the KDC service.
```
kdc4 # svcadm enable -r network/security/krb5kdc
```
4. Reinitialize the update log for the new master KDC server.
```
kdc4 # svcadm disable network/security/krb5kdc
kdc4 # rm /var/krb5/principal.ulog
```
On the old master KDC, kill the kadmin and krb5kdc services.
When you kill the kadmin service, you prevent any changes from being made to the KDC database.
```
kdc1 # svcadm disable network/security/kadmin
kdc1 # svcadm disable network/security/krb5kdc
```

On the old master KDC, specify the poll time for requesting propagations.

Comment out the sunw_dbprop_master_ulogsize entry in /etc/krb5/kdc.conf and add an entry that defines the slave's polling interval. This entry sets the poll time to two minutes.

kdc1 # pfedit /etc/krb5/kdc.conf
[kdcdefaults]
kdc_ports = 88,750

[realms]
EXAMPLE.COM= {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
sunw_dbprop_enable = true
#  sunw_dbprop_master_ulogsize = 1000
sunw_dbprop_slave_poll = 2m
}

On the old master KDC, move the master KDC commands and the kadm5.acl file.

The master KDC commands must not be run from the old master KDC.

kdc1 # mv /usr/lib/krb5/kprop /usr/lib/krb5/kprop.save
kdc1 # mv /usr/lib/krb5/kadmind /usr/lib/krb5/kadmind.save
kdc1 # mv /usr/sbin/kadmin.local /usr/sbin/kadmin.local.save
kdc1 # mv /etc/krb5/kadm5.acl /etc/krb5/kadm5.acl.save

On the DNS server, change the alias names for the master KDC.
To change the servers, edit the example.com zone file and change the entry for masterkdc.
```
masterkdc IN CNAME kdc4
```
On the DNS server, reload the new alias information.
```
# svcadm refresh network/dns/server
```

On the new master KDC, move the master KDC commands and the slave kpropd.acl file.

You moved the master KDC commands in Step 3 of How to Configure a Swappable Slave KDC,

kdc4 # mv /usr/lib/krb5/kprop.save /usr/lib/krb5/kprop
kdc4 # mv /usr/lib/krb5/kadmind.save /usr/lib/krb5/kadmind
kdc4 # mv /usr/sbin/kadmin.local.save /usr/sbin/kadmin.local
kdc4 # mv /etc/krb5/kpropd.acl /etc/krb5/kpropd.acl.save

On the new master KDC, create the Kerberos access control list file, kadm5.acl.
Once populated, the /etc/krb5/kadm5.acl file should contain all principal names that are allowed to administer the KDC. The file should also list all of the slaves that can make requests for incremental propagation. For more information, see the kadm5.acl(4) man page.
```
kdc4 # pfedit /etc/krb5/kadm5.acl
kws/admin@EXAMPLE.COM   *
kiprop/kdc1.example.com@EXAMPLE.COM p
```

On the new master KDC, specify the update log size in the kdc.conf file.

Comment out the sunw_dbprop_slave_poll entry and add an entry that defines sunw_dbprop_master_ulogsize. This entry sets the log size to 1000 entries.

kdc1 # pfedit /etc/krb5/kdc.conf
[kdcdefaults]
kdc_ports = 88,750

[realms]
EXAMPLE.COM= {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
sunw_dbprop_enable = true
#               sunw_dbprop_slave_poll = 2m
sunw_dbprop_master_ulogsize = 1000
}

On the new master KDC, enable the kadmin and krb5kdc services.

kdc4 # svcadm enable -r network/security/krb5kdc
kdc4 # svcadm enable -r network/security/kadmin

On the old master KDC, add the kiprop service principal.

Adding the kiprop principal to the krb5.keytab file allows the kpropd daemon to authenticate itself for the incremental propagation service.

kdc1 # /usr/sbin/kadmin -p kws/admin
Authenticating as principal kws/admin@EXAMPLE.COM with password.
Enter password: xxxxxxxx
kadmin: ktadd kiprop/kdc1.example.com
Entry for principal kiprop/kdc1.example.com with kvno 3,
encryption type AES-256 CTS mode
with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal kiprop/kdc1.example.com with kvno 3,
encryption type AES-128 CTS mode
with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal kiprop/kdc1.example.com with kvno 3, encryption type Triple DES cbc
mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
kadmin: quit

On the old master KDC, add an entry for each KDC in the krb5.conf file to the propagation configuration file.

kdc1 # pfedit /etc/krb5/kpropd.acl
host/kdc1.example.com@EXAMPLE.COM
host/kdc2.example.com@EXAMPLE.COM
host/kdc3.example.com@EXAMPLE.COM
host/kdc4.example.com@EXAMPLE.COM

On the old master KDC, enable the kpropd and krb5kdc services.

kdc1 # svcadm enable -r network/security/krb5_prop
kdc1 # svcadm enable -r network/security/krb5kdc