System Administration Guide: Security Services

How to Configure a Swappable Slave KDC

Perform this procedure on the slave KDC server that you want to have available to become the master KDC.

  1. Use alias names for the master KDC and the swappable slave KDC during the KDC installation.

    When you define the host names for the KDCs, make sure that each system has an alias included in DNS. Also, use the alias names when you define the hosts in the /etc/krb5/krb5.conf file.

  2. Follow the steps to install a slave KDC.

    Prior to any swap, this server should function as any other slave KDC in the realm. See How to Configure a Slave KDC for instructions.

  3. Move the master KDC commands.

    To prevent the master KDC commands from being run from this slave KDC, move the kprop, kadmind and kadmin.local commands to a reserved place.

    kdc4 # mv /usr/lib/krb5/kprop /usr/lib/krb5/
    kdc4 # mv /usr/lib/krb5/kadmind /usr/lib/krb5/
    kdc4 # mv /usr/sbin/kadmin.local /usr/sbin/
  4. Comment out the kprop line in the root crontab file.

    This step prevents the slave KDC from propagating its copy of the KDC database.

    kdc4 # crontab -e
    #ident  "@(#)root       1.20    01/11/06 SMI"
    # The root crontab should be used to perform accounting data collection.
    # The rtc command is run to adjust the real time clock if and when
    # daylight savings time changes.
    10 3 * * * /usr/sbin/logadm
    15 3 * * 0 /usr/lib/fs/nfs/nfsfind
    1 2 * * * [ -x /usr/sbin/rtc ] && /usr/sbin/rtc -c > /dev/null 2>&1
    30 3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean
    #10 3 * * * /usr/lib/krb5kprop_script #SUNWkr5ma