Sun Enterprise Authentication Mechanism Guide

How to Swap a Master and Slave KDC

This procedure requires that the slave KDC server has been set up as a swappable slave (see "How to Configure a Swappable Slave KDC"). In this procedure the master server that is being swapped out is named kdc1 and the slave that will become the new master is named kdc4.

On the old master: Kill the kadmind process.

Killing the kadmind process prevents any changes from being made to the KDC database.
kdc1 # /etc/init.d/kdc.master stop

On the old master: Comment out kprop line in the root crontab file.

This step prevents the old master from propagating its copy of the KDC database.

kdc1 # crontab -e
#ident  "@(#)root       1.19    98/07/06 SMI"   /* SVr4.0 1.1.3.1       */
#
# The root crontab should be used to perform accounting data collection.
#
# The rtc command is run to adjust the real time clock if and when
# daylight savings time changes.
#
10 3 * * 0,4 /etc/cron.d/logchecker
10 3 * * 0   /usr/lib/newsyslog
15 3 * * 0 /usr/lib/fs/nfs/nfsfind
1 2 * * * [ -x /usr/sbin/rtc ] && /usr/sbin/rtc -c > /dev/null 2>&1
30 3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean
#10 3 * * * /usr/krb5/lib/kprop_script kdc2.acme.sun.com #SUNWkr5ma

On the old master: Disable kadmind startup in /etc/init.d/kdc.master.

To prevent the master from restarting kadmind if the server is rebooted, comment out the line that starts kadmind in the script:
kdc1 # cat /etc/init.d/kdc.master . . case "$1" in 'start') if [ -f $KDC_CONF_DIR/kdc.conf ] then # $BINDIR/kadmind fi ;;

On the old master: Run kprop_script to back up and propagate the database.

kdc1 # /usr/krb5/lib/kprop_script kdc4.acme.com
Database propagation to kdc4.acme.com: SUCCEEDED

On the old master: Move master KDC commands.

To prevent the master KDC commands from being run, move kprop, kadmind and kadmin.local to a reserved place.

kdc4 # mv /usr/krb5/lib/kprop /usr/krb5/lib/kprop.save
kdc4 # mv /usr/krb5/lib/kadmind /usr/krb5/lib/kadmind.save
kdc4 # mv /usr/krb5/sbin/kadmin.local /usr/krb5/sbin/kadmin.local.save

On the DNS server: Change alias names for the master.

To change the servers, edit the acme.com zone file and change the entry for masterkdc.
masterkdc IN CNAME kdc4

On the DNS server: Restart internet domain name server.

Run the following command on both servers to get the new alias information:
# pkill -1 in.named

On the new master: Move master KDC commands.

kdc4 # mv /usr/krb5/lib/kprop.save /usr/krb5/lib/kprop
kdc4 # mv /usr/krb5/lib/kadmind.save /usr/krb5/lib/kadmind
kdc4 # mv /usr/krb5/sbin/kadmin.local.save /usr/krb5/sbin/kadmin.local

On the new master: Create a keytab file for kadmin using kadmin.local.

This command sequence creates a special keytab file with principal entries for admin and changepw. These principals are needed for the kadmind service.

kdc4 # /usr/krb5/sbin/kadmin.local
kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/kdc4.acme.com
Entry for principal kadmin/kdc4.acme.com with kvno 3, encryption type DES-CBC-CRC
          added to keytab WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local: ktadd -k /etc/krb5/kadm5.keytab changepw/kdc4.acme.com
Entry for principal changepw/kdc4.acme.com with kvno 3, encryption type DES-CBC-CRC 
          added to keytab WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local: quit

On the new master: Enable kadmind startup in /etc/init.d/kdc.master.

kdc4 # cat /etc/init.d/kdc.master

 .
 .

case "$1" in
'start')

        if [ -f $KDC_CONF_DIR/kdc.conf ]
        then
                $BINDIR/kadmind 
        fi
        ;;

On the new master: Start kadmind.
kdc4 # /etc/init.d/kdc.master start

Enable the kprop line in the root crontab file.

kdc4 # crontab -e
#ident  "@(#)root       1.19    98/07/06 SMI"   /* SVr4.0 1.1.3.1       */
#
# The root crontab should be used to perform accounting data collection.
#
# The rtc command is run to adjust the real time clock if and when
# daylight savings time changes.
#
10 3 * * 0,4 /etc/cron.d/logchecker
10 3 * * 0   /usr/lib/newsyslog
15 3 * * 0 /usr/lib/fs/nfs/nfsfind
1 2 * * * [ -x /usr/sbin/rtc ] && /usr/sbin/rtc -c > /dev/null 2>&1
30 3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean
10 3 * * * /usr/krb5/lib/kprop_script kdc1.acme.sun.com #SUNWkr5ma