test

Sun Enterprise Authentication Mechanism 1.0.1 Guide

Swapping Master and Slave KDCs

These procedures should be used to make the swapping of a master with a slave KDC easier. This should only be done if the master KDC server fails for some reason or if the master needs to be re-installed (new hardware for example).

How to Configure a Swappable Slave KDC

This procedure should be done on the slave KDC server that you want to have available to become the master.

  1. Use alias names for master and swappable slave KDC servers during the installation.

    When defining the hostnames for the KDCs, make sure that each system has an alias included in DNS and use the alias names when defining the hosts in /etc/krb5/krb5.conf.

  2. Disable hostname checking in the KDC startup script on both master and swappable slave.

    Using alias names for the master and swappable slave KDC servers means that the check which verifies that the current nodename is in /etc/krb5/krb5.conf before starting the KDC server fails. To use the alias names so that the swapping is easy to do, you need to comment out two lines in /etc/init.d/kdc as shown below:


    if [ -f $KDC_CONF_DIR/kdc.conf ]
        then
 #               node=`uname -n`
 #               if grep -i "kdc.*=.*$node" /etc/krb5/krb5.conf > /dev/null 2>&1 ;
                then
                        $BINDIR/krb5kdc 
                fi
        fi
        ;;

  3. Install master KDC software.

    Installing the master KDC software provides the binaries and other files that will be needed during a swap, which includes all of the files that a slave KDC server requires. Do not reboot the system when the installation is complete.

  4. Follow steps to install a slave KDC.

    Prior to any swapping, this server should function just like any other slave KDC in the realm. See "How to Configure a Slave KDC" for instructions. Do not install the slave software. All of the files that are required are installed when the master software is installed.

  5. Move master KDC commands.

    To prevent the master KDC commands from being run from this slave, move kprop, kadmind and kadmin.local to a reserved place.


    kdc4 # mv /usr/lib/kprop /usr/lib/kprop.save
kdc4 # mv /usr/krb5/lib/kadmind /usr/krb5/lib/kadmind.save
kdc4 # mv /usr/krb5/sbin/kadmin.local /usr/krb5/sbin/kadmin.local.save

  6. Disable kadmind startup in /etc/init.d/kdc.master.

    To prevent the slave from handling requests to change the KDC database, comment out the line that starts kadmind in the script:


    kdc4 # cat /etc/init.d/kdc.master

 .
 .

case "$1" in
'start')

        if [ -f $KDC_CONF_DIR/kdc.conf ]
        then
#                $BINDIR/kadmind 
        fi
        ;;

  7. Comment out kprop line in the root crontab file.

    This step prevents the slave from propagating its copy of the KDC database.


    kdc4 # crontab -e
#ident  "@(#)root       1.19    98/07/06 SMI"   /* SVr4.0 1.1.3.1       */
#
# The root crontab should be used to perform accounting data collection.
#
# The rtc command is run to adjust the real time clock if and when
# daylight savings time changes.
#
10 3 * * 0,4 /etc/cron.d/logchecker
10 3 * * 0   /usr/lib/newsyslog
15 3 * * 0 /usr/lib/fs/nfs/nfsfind
1 2 * * * [ -x /usr/sbin/rtc ] && /usr/sbin/rtc -c > /dev/null 2>&1
30 3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean
#10 3 * * * /usr/krb5/lib/kprop_script kdc1.acme.sun.com #SUNWkr5ma

How to Swap a Master and Slave KDC

This procedure requires that the slave KDC server has been set up as a swappable slave (see "How to Configure a Swappable Slave KDC"). In this procedure the master server that is being swapped out is named kdc1 and the slave that will become the new master is named kdc4.

  1. On the old master: Kill the kadmind process.

    Killing the kadmind process prevents any changes from being made to the KDC database.


    kdc1 # /etc/init.d/kdc.master stop

  2. On the old master: Comment out kprop line in the root crontab file.

    This step prevents the old master from propagating its copy of the KDC database.


    kdc1 # crontab -e
#ident  "@(#)root       1.19    98/07/06 SMI"   /* SVr4.0 1.1.3.1       */
#
# The root crontab should be used to perform accounting data collection.
#
# The rtc command is run to adjust the real time clock if and when
# daylight savings time changes.
#
10 3 * * 0,4 /etc/cron.d/logchecker
10 3 * * 0   /usr/lib/newsyslog
15 3 * * 0 /usr/lib/fs/nfs/nfsfind
1 2 * * * [ -x /usr/sbin/rtc ] && /usr/sbin/rtc -c > /dev/null 2>&1
30 3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean
#10 3 * * * /usr/krb5/lib/kprop_script kdc2.acme.sun.com #SUNWkr5ma

  3. On the old master: Disable kadmind startup in /etc/init.d/kdc.master.

    To prevent the master from restarting kadmind if the server is rebooted, comment out the line that starts kadmind in the script:


    kdc1 # cat /etc/init.d/kdc.master

 .
 .

case "$1" in
'start')

        if [ -f $KDC_CONF_DIR/kdc.conf ]
        then
#                $BINDIR/kadmind 
        fi
        ;;

  4. On the old master: Run kprop_script to back up and propagate the database.


    kdc1 # /usr/krb5/lib/kprop_script kdc4.acme.com
Database propagation to kdc4.acme.com: SUCCEEDED

  5. On the old master: Move master KDC commands.

    To prevent the master KDC commands from being run, move kprop, kadmind and kadmin.local to a reserved place.


    kdc4 # mv /usr/lib/kprop /usr/lib/kprop.save
kdc4 # mv /usr/krb5/lib/kadmind /usr/krb5/lib/kadmind.save
kdc4 # mv /usr/krb5/sbin/kadmin.local /usr/krb5/sbin/kadmin.local.save

  6. On the DNS server: Change alias names for the master.

    To change the servers, edit the acme.com zone file and change the entry for masterkdc.


    masterkdc IN CNAME kdc4

  7. On the DNS server: Restart internet domain name server.

    Run the following command on both servers to get the new alias information:


    # pkill -1 in.named

  8. On the new master: Move master KDC commands.


    kdc4 # mv /usr/lib/kprop.save /usr/lib/kprop
kdc4 # mv /usr/krb5/lib/kadmind.save /usr/krb5/lib/kadmind
kdc4 # mv /usr/krb5/sbin/kadmin.local.save /usr/krb5/sbin/kadmin.local

  9. On the new master: Create a keytab file for kadmin using kadmin.local.

    This command sequence creates a special keytab file with principal entries for admin and changepw. These principals are needed for the kadmind service. 


    kdc4 # /usr/krb5/sbin/kadmin.local
kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/kdc4.acme.com
Entry for principal kadmin/kdc4.acme.com with kvno 3, encryption type DES-CBC-CRC
          added to keytab WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local: ktadd -k /etc/krb5/kadm5.keytab changepw/kdc4.acme.com
Entry for principal changepw/kdc4.acme.com with kvno 3, encryption type DES-CBC-CRC 
          added to keytab WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local: quit

  10. On the new master: Enable kadmind startup in /etc/init.d/kdc.master.


    kdc4 # cat /etc/init.d/kdc.master

 .
 .

case "$1" in
'start')

        if [ -f $KDC_CONF_DIR/kdc.conf ]
        then
                $BINDIR/kadmind 
        fi
        ;;

  11. On the new master: Start kadmind.


    kdc4 # /etc/init.d/kdc.master start

  12. Enable the kprop line in the root crontab file.


    kdc4 # crontab -e
#ident  "@(#)root       1.19    98/07/06 SMI"   /* SVr4.0 1.1.3.1       */
#
# The root crontab should be used to perform accounting data collection.
#
# The rtc command is run to adjust the real time clock if and when
# daylight savings time changes.
#
10 3 * * 0,4 /etc/cron.d/logchecker
10 3 * * 0   /usr/lib/newsyslog
15 3 * * 0 /usr/lib/fs/nfs/nfsfind
1 2 * * * [ -x /usr/sbin/rtc ] && /usr/sbin/rtc -c > /dev/null 2>&1
30 3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean
10 3 * * * /usr/krb5/lib/kprop_script kdc1.acme.sun.com #SUNWkr5ma