Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014
 
 

How to Reconfigure a Slave KDC to Use Incremental Propagation

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

  1. Add entries to kdc.conf.

    The first new entry enables incremental propagation. The second new entry sets the poll time to two minutes.

    kdc2 # pfedit /etc/krb5/kdc.conf
    [kdcdefaults]
    kdc_ports = 88,750
    
    [realms]
    EXAMPLE.COM= {
    profile = /etc/krb5/krb5.conf
    database_name = /var/krb5/principal
    acl_file = /etc/krb5/kadm5.acl
    kadmind_port = 749
    max_life = 8h 0m 0s
    max_renewable_life = 7d 0h 0m 0s
    sunw_dbprop_enable = true
    sunw_dbprop_slave_poll = 2m
    }
  2. Add the kiprop principal to the krb5.keytab file.
    kdc2 # /usr/sbin/kadmin -p kws/admin
    Enter password: xxxxxxxx
    kadmin: ktadd kiprop/kdc2.example.com
    Entry for principal kiprop/kdc2.example.com with kvno 3,
    encryption type AES-256 CTS mode
    with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
    Entry for principal kiprop/kdc2.example.com with kvno 3,
    encryption type AES-128 CTS mode
    with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
    Entry for principal kiprop/kdc2.example.com with kvno 3, encryption type Triple DES cbc
    mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
    kadmin: quit
  3. Restart kpropd.
    kdc2 # svcadm restart network/security/krb5_prop