Propagating the Kerberos database from the master KDC to the slave KDCs is one of the most important configuration tasks. If propagation doesn't happen often enough, the master KDC and the slave KDCs will lose synchronization. Then, if the master KDC goes down, the slave KDCs will not have the most recent database information. Also, if a slave KDC has been configured as a master KDC for purposes of load balancing, the clients that use that slave KDC as a master KDC will not have the latest information.
Make sure that propagation occurs often enough or else configure the servers for incremental propagation, based on how often you change the Kerberos database. Incremental propagation is preferred over other propagation methods. Manual propagation of the database requires more administrative overhead and full propagation is inefficient.
Caution - To avoid data loss, you should manually propagate the database if you add significant updates to the Kerberos database before a regularly scheduled propagation.
The kpropd.acl file on a slave KDC provides a list of host principal names, one name per line, that specifies the systems from which the KDC can receive an updated database through propagation. If the master KDC is used to propagate all the slave KDCs, the kpropd.acl file on each slave needs to contain only the host principal name of the master KDC.
However, the Kerberos installation and subsequent configuration steps described in this guide instruct you to use the same kpropd.acl file on the master KDC and the slave KDCs. This file contains all the KDC host principal names. This configuration enables you to propagate from any KDC, in case the propagating KDCs become temporarily unavailable. The identical copy on all KDCs eases maintenance.
The kprop_script command uses the kprop command to propagate the Kerberos database to other KDCs. If the kprop_script command is run on a slave KDC, it propagates the slave KDC's copy of the Kerberos database to other KDCs. The kprop_script accepts a list of host names for arguments, separated by spaces, which indicate the KDCs to propagate.
When kprop_script is run, it creates a backup of the Kerberos database to the /var/krb5/slave_datatrans file and copies the file to the specified KDCs. The Kerberos database is locked until the propagation is finished.
When you configure the master KDC, you set up the kprop_script command in a cron job to automatically back up the Kerberos database to the /var/krb5/slave_datatrans dump file and propagate it to the slave KDCs. But, as with any file, the Kerberos database can become corrupted. Data corruption is not an issue on a slave KDC, because the next automatic propagation of the database installs a fresh copy. However, if corruption occurs on the master KDC, the corrupted database is propagated to all of the slave KDCs during the next propagation. The corrupted backup also overwrites the previous uncorrupted backup file on the master KDC.
To protect against this scenario, set up a cron job to periodically copy the slave_datatrans dump file to another location or to create another separate backup copy by using the dump command of kdb5_util. Then, if your database becomes corrupted, you can restore the most recent backup on the master KDC by using the load command of kdb5_util.
Another important note: Because the database dump file contains principal keys, you need to protect the file from being accessed by unauthorized users. By default, the database dump file has read and write permissions only as root. To protect against unauthorized access, propagate the database dump file with the kprop command, because this command encrypts the data that is being transferred. Also, kprop propagates the data only to the slave KDCs, which minimizes the chance of accidentally sending the database dump file to unauthorized hosts.Example 4-13 Manually Backing Up the Kerberos Database
You use the dump command of the kdb5_util command to back up the database. Run this command in a directory that is owned by root.
# /usr/sbin/kdb5_util dump
In the following example, the Kerberos database is backed up to a file called dumpfile. Because the –verbose option is specified, each principal is printed as it is backed up. Because no principals are specified, the entire database is backed up.
# kdb5_util dump -verbose /var/user/kadmin/dumpfile kadmin/kdc1.corp.example.com@CORP.EXAMPLE.COM krbtgt/CORP.EXAMPLE.COM@CORP.EXAMPLE.COM kadmin/history@CORP.EXAMPLE.COM pak/admin@CORP.EXAMPLE.COM pak@CORP.EXAMPLE.COM changepw/kdc1.corp.example.com@CORP.EXAMPLE.COM
In the following example, the dump contains only the pak and pak/admin principals.
# kdb5_util dump -verbose pakfile pak/admin@CORP.EXAMPLE.COM pak@CORP.EXAMPLE.COM pak/admin@CORP.EXAMPLE.COM pak@CORP.EXAMPLE.COM
For more information, see the kdb5_util(1M) man page.