System Administration Guide: Security Services

ProcedureHow to Swap a Master KDC and a Slave KDC

In this procedure, the master KDC server that is being swapped out is named kdc1. The slave KDC that will become the new master KDC is named kdc4. This procedure assumes that you are using incremental propagation.

Before You Begin

This procedure requires that the slave KDC server has been set up as a swappable slave. For more information, see How to Configure a Swappable Slave KDC).

  1. On the new master KDC, start kadmin.


    kdc4 # /usr/sbin/kadmin -p kws/admin
    Enter password: <Type kws/admin password>
    kadmin: 
    1. Create new principals for the kadmind service.

      The following example shows the first addprinc command on two lines, but it should be typed on one line.


      kadmin: addprinc -randkey -allow_tgs_req +password_changing_service -clearpolicy \
             changepw/kdc4.example.com
      Principal "changepw/kdc4.example.com@ENG.SUN.COM" created.
      kadmin: addprinc -randkey -allow_tgs_req -clearpolicy kadmin/kdc4.example.com
      Principal "kadmin/kdc4.example.com@EXAMPLE.COM" created.
      kadmin: 
    2. Create a keytab file.


      kadmin: ktadd -k /etc/krb5/kadm5.keytab kadmin/kdc4.example.com
      Entry for principal kadmin/kdc4.example.com with kvno 3, encryption type AES-256 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/kdc4.example.com with kvno 3, encryption type AES-128 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/kdc4.example.com with kvno 3, encryption type Triple DES cbc
                mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/kdc4.example.com with kvno 3, encryption type ArcFour
                with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/kdc4.example.com with kvno 3, encryption type DES cbc mode
                with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      kadmin: ktadd -k /etc/krb5/kadm5.keytab changepw/kdc4.example.com
      Entry for principal changepw/kdc4.example.com with kvno 3, encryption type AES-256 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal changepw/kdc4.example.com with kvno 3, encryption type AES-128 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal changepw/kdc4.example.com with kvno 3, encryption type Triple DES cbc
                mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal changepw/kdc4.example.com with kvno 3, encryption type ArcFour
                with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal changepw/kdc4.example.com with kvno 3, encryption type DES cbc mode
                with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      kadmin: ktadd -k /etc/krb5/kadm5.keytab kadmin/changepw
      Entry for principal kadmin/changepw with kvno 3, encryption type AES-256 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/changepw with kvno 3, encryption type AES-128 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc
                mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/changepw with kvno 3, encryption type ArcFour
                with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode
                with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      kadmin: 
    3. Quit kadmin.


      kadmin: quit
      
  2. On the new master KDC, force synchronization.

    The following steps force a full KDC update on the slave server.


    kdc4 # svcadm disable network/security/krb5kdc
    kdc4 # rm /var/krb5/principal.ulog
    
  3. On the new master KDC, verify that the update is complete.


    kdc4 # /usr/sbin/kproplog -h
    
  4. On the new master KDC, restart the KDC service.


    kdc4 # svcadm enable -r network/security/krb5kdc
    
  5. On the new master KDC, clear the update log.

    These steps reinitialize the update log for the new master KDC server.


    kdc4 # svcadm disable network/security/krb5kdc
    kdc4 # rm /var/krb5/principal.ulog
    
  6. On the old master KDC, kill the kadmind and krb5kdc processes.

    When you kill the kadmind process, you prevent any changes from being made to the KDC database.


    kdc1 # svcadm disable network/security/kadmin
    kdc1 # svcadm disable network/security/krb5kdc
    
  7. On the old master KDC, specify the poll time for requesting propagations.

    Comment out the sunw_dbprop_master_ulogsize entry in /etc/krb5/kdc.conf and add an entry defining sunw_dbprop_slave_poll. The entry sets the poll time to 2 minutes.


    kdc1 # cat /etc/krb5/kdc.conf
    [kdcdefaults]
            kdc_ports = 88,750
    
    [realms]
            EXAMPLE.COM= {
                    profile = /etc/krb5/krb5.conf
                    database_name = /var/krb5/principal
                    admin_keytab = /etc/krb5/kadm5.keytab
                    acl_file = /etc/krb5/kadm5.acl
                    kadmind_port = 749
                    max_life = 8h 0m 0s
                    max_renewable_life = 7d 0h 0m 0s
                    sunw_dbprop_enable = true
    #               sunw_dbprop_master_ulogsize = 1000
                    sunw_dbprop_slave_poll = 2m
            }
  8. On the old master KDC, move the master KDC commands and the kadm5.acl file.

    To prevent the master KDC commands from being run, move the kprop, kadmind, and kadmin.local commands to a reserved place.


    kdc1 # mv /usr/lib/krb5/kprop /usr/lib/krb5/kprop.save
    kdc1 # mv /usr/lib/krb5/kadmind /usr/lib/krb5/kadmind.save
    kdc1 # mv /usr/sbin/kadmin.local /usr/sbin/kadmin.local.save
    kdc1 # mv /etc/krb5/kadm5.acl /etc/krb5/kadm5.acl.save
    
  9. On the DNS server, change the alias names for the master KDC.

    To change the servers, edit the example.com zone file and change the entry for masterkdc.


    masterkdc IN CNAME kdc4
  10. On the DNS server, restart the Internet domain name server.

    Run the following command to reload the new alias information:


    # svcadm refresh network/dns/server
    
  11. On the new master KDC, move the master KDC commands and the slave kpropd.acl file.


    kdc4 # mv /usr/lib/krb5/kprop.save /usr/lib/krb5/kprop
    kdc4 # mv /usr/lib/krb5/kadmind.save /usr/lib/krb5/kadmind
    kdc4 # mv /usr/sbin/kadmin.local.save /usr/sbin/kadmin.local
    kdc4 # mv /etc/krb5/kpropd.acl /etc/krb5/kpropd.acl.save
    
  12. On the new master KDC, create the Kerberos access control list file (kadm5.acl).

    Once populated, the /etc/krb5/kadm5.acl file should contain all principal names that are allowed to administer the KDC. The file should also list all of the slaves that make requests for incremental propagation. See the kadm5.acl(4) man page for more information.


    kdc4 # cat /etc/krb5/kadm5.acl
    kws/admin@EXAMPLE.COM   *
    kiprop/kdc1.example.com@EXAMPLE.COM p
    
  13. On the new master KDC, specify the update log size in the kdc.conf file.

    Comment out the sunw_dbprop_slave_poll entry and add an entry defining sunw_dbprop_master_ulogsize. The entry sets the log size to 1000 entries.


    kdc1 # cat /etc/krb5/kdc.conf
    [kdcdefaults]
            kdc_ports = 88,750
    
    [realms]
            EXAMPLE.COM= {
                    profile = /etc/krb5/krb5.conf
                    database_name = /var/krb5/principal
                    admin_keytab = /etc/krb5/kadm5.keytab
                    acl_file = /etc/krb5/kadm5.acl
                    kadmind_port = 749
                    max_life = 8h 0m 0s
                    max_renewable_life = 7d 0h 0m 0s
                    sunw_dbprop_enable = true
    #               sunw_dbprop_slave_poll = 2m
                    sunw_dbprop_master_ulogsize = 1000
            }
  14. On the new master KDC, add the kiprop principal to the kadmind keytab file.


    kdc4 # kadmin.local
    kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kiprop/kdc4.example.com
    Entry for principal kiprop/kdc4.example.com with kvno 3, encryption type AES-256 CTS mode
              with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    Entry for principal kiprop/kdc4.example.com with kvno 3, encryption type AES-128 CTS mode
              with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    Entry for principal kiprop/kdc4.example.com with kvno 3, encryption type Triple DES cbc
              mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    Entry for principal kiprop/kdc4.example.com with kvno 3, encryption type ArcFour
              with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    Entry for principal kiprop/kdc4.example.com with kvno 3, encryption type DES cbc mode
              with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    kadmin.local: quit
    
  15. On the new master KDC, start kadmind and krb5kdc.


    kdc4 # svcadm enable -r network/security/krb5kdc
    kdc4 # svcadm enable -r network/security/kadmin
    
  16. On the old master KDC, add the kiprop service principal.

    Adding the kiprop principal to the krb5.keytab file allows the kpropd daemon to authenticate itself for the incremental propagation service.


    kdc1 # /usr/sbin/kadmin -p kws/admin
    Authenticating as pricipal kws/admin@EXAMPLE.COM with password.
    Enter password: <Type kws/admin password>
    kadmin: ktadd kiprop/kdc1.example.com
    Entry for principal kiprop/kdc1.example.com with kvno 3, encryption type AES-256 CTS mode
              with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
    Entry for principal kiprop/kdc1.example.com with kvno 3, encryption type AES-128 CTS mode
              with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
    Entry for principal kiprop/kdc1.example.com with kvno 3, encryption type Triple DES cbc
              mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
    Entry for principal kiprop/kdc1.example.com with kvno 3, encryption type ArcFour
              with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
    Entry for principal kiprop/kdc1.example.com with kvno 3, encryption type DES cbc mode
              with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
    kadmin: quit
    
  17. On the old master KDC, add an entry for each KDC listed in krb5.conf to the propagation configuration file, kpropd.acl.


    kdc1 # cat /etc/krb5/kpropd.acl
    host/kdc1.example.com@EXAMPLE.COM
    host/kdc2.example.com@EXAMPLE.COM
    host/kdc3.example.com@EXAMPLE.COM
    host/kdc4.example.com@EXAMPLE.COM
  18. On the old master KDC, start kpropd and krb5kdc.

    When the krb5kdc daemon is started, kpropd also starts if the system is configured as a slave.


    kdc1 # svcadm enable network/security/krb5kdc