test

Sun Enterprise Authentication Mechanism Guide

How to Configure a Swappable Slave KDC

This procedure should be done on the slave KDC server that you want to have available to become the master.

  1. Use alias names for master and swappable slave KDC servers during the installation.

    When defining the hostnames for the KDCs, make sure that each system has an alias included in DNS and use the alias names when defining the hosts in /etc/krb5/krb5.conf.

  2. Install master KDC software.

    Installing the master KDC software provides the binaries and other files that will be needed during a swap, which includes all of the files that a slave KDC server requires. Do not reboot the system when the installation is complete.

  3. Follow steps to install a slave KDC.

    Prior to any swapping, this server should function just like any other slave KDC in the realm. See "How to Configure a Slave KDC" for instructions. Do not install the slave software. All of the files that are required are installed when the master software is installed.

  4. Move master KDC commands.

    To prevent the master KDC commands from being run from this slave, move kprop, kadmind and kadmin.local to a reserved place.


    kdc4 # mv /usr/krb5/lib/kprop /usr/krb5/lib/kprop.save
kdc4 # mv /usr/krb5/lib/kadmind /usr/krb5/lib/kadmind.save
kdc4 # mv /usr/krb5/sbin/kadmin.local /usr/krb5/sbin/kadmin.local.save

  5. Disable kadmind startup in /etc/init.d/kdc.master.

    To prevent the slave from handling requests to change the KDC database, comment out the line that starts kadmind in the script:


    kdc4 # cat /etc/init.d/kdc.master

 .
 .

case "$1" in
'start')

        if [ -f $KDC_CONF_DIR/kdc.conf ]
        then
#                $BINDIR/kadmind 
        fi
        ;;

  6. Comment out kprop line in the root crontab file.

    This step prevents the slave from propagating its copy of the KDC database.


    kdc4 # crontab -e
#ident  "@(#)root       1.19    98/07/06 SMI"   /* SVr4.0 1.1.3.1       */
#
# The root crontab should be used to perform accounting data collection.
#
# The rtc command is run to adjust the real time clock if and when
# daylight savings time changes.
#
10 3 * * 0,4 /etc/cron.d/logchecker
10 3 * * 0   /usr/lib/newsyslog
15 3 * * 0 /usr/lib/fs/nfs/nfsfind
1 2 * * * [ -x /usr/sbin/rtc ] && /usr/sbin/rtc -c > /dev/null 2>&1
30 3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean
#10 3 * * * /usr/krb5/lib/kprop_script kdc1.acme.sun.com #SUNWkr5ma