在此过程中,要交换出来的主 KDC 服务器名为 kdc1。将成为新的主 KDC 服务器的从 KDC 服务器名为 kdc4。该过程假定使用了增量传播。
开始之前
完成如何配置可交换的从 KDC 服务器中所述的过程。
您必须承担 root 角色。有关更多信息,请参见在 Oracle Solaris 11.2 中确保用户和进程的安全 中的使用所指定的管理权限。
kdc4 # /usr/sbin/kadmin -p kws/admin Enter password: xxxxxxxx kadmin:
以下示例中将第一个 addprinc 命令显示为两行,但实际上应在同一行中键入该命令。
kadmin: addprinc -randkey -allow_tgs_req +password_changing_service -clearpolicy \ changepw/kdc4.example.com Principal "changepw/kdc4.example.com@EXAMPLE.COM" created. kadmin: addprinc -randkey -allow_tgs_req -clearpolicy kadmin/kdc4.example.com Principal "kadmin/kdc4.example.com@EXAMPLE.COM" created. kadmin:
kadmin: quit
以下步骤将在从服务器上强制执行完全 KDC 更新。
kdc4 # svcadm disable network/security/krb5kdc kdc4 # rm /var/krb5/principal.ulog
kdc4 # /usr/sbin/kproplog -h
kdc4 # svcadm enable -r network/security/krb5kdc
kdc4 # svcadm disable network/security/krb5kdc kdc4 # rm /var/krb5/principal.ulog
中止 kadmin 服务可防止对 KDC 数据库进行任何更改。
kdc1 # svcadm disable network/security/kadmin kdc1 # svcadm disable network/security/krb5kdc
注释掉 /etc/krb5/kdc.conf 中的 sunw_dbprop_master_ulogsize 项,并添加定义从服务器的轮询间隔的项。该项将轮询时间设置为两分钟。
kdc1 # pfedit /etc/krb5/kdc.conf [kdcdefaults] kdc_ports = 88,750 [realms] EXAMPLE.COM= { profile = /etc/krb5/krb5.conf database_name = /var/krb5/principal acl_file = /etc/krb5/kadm5.acl kadmind_port = 749 max_life = 8h 0m 0s max_renewable_life = 7d 0h 0m 0s sunw_dbprop_enable = true # sunw_dbprop_master_ulogsize = 1000 sunw_dbprop_slave_poll = 2m }
不得从旧的主 KDC 运行主 KDC 命令。
kdc1 # mv /usr/lib/krb5/kprop /usr/lib/krb5/kprop.save kdc1 # mv /usr/lib/krb5/kadmind /usr/lib/krb5/kadmind.save kdc1 # mv /usr/sbin/kadmin.local /usr/sbin/kadmin.local.save kdc1 # mv /etc/krb5/kadm5.acl /etc/krb5/kadm5.acl.save
要更改服务器,请编辑 example.com 区域文件并更改 masterkdc 的项。
masterkdc IN CNAME kdc4
# svcadm refresh network/dns/server
已在如何配置可交换的从 KDC 服务器的Step 3 中移动了主 KDC 命令。
kdc4 # mv /usr/lib/krb5/kprop.save /usr/lib/krb5/kprop kdc4 # mv /usr/lib/krb5/kadmind.save /usr/lib/krb5/kadmind kdc4 # mv /usr/sbin/kadmin.local.save /usr/sbin/kadmin.local kdc4 # mv /etc/krb5/kpropd.acl /etc/krb5/kpropd.acl.save
填充后,/etc/krb5/kadm5.acl 文件应包含所有获许管理 KDC 的主体名称。该文件还应列出可以请求增量传播的所有从服务器。有关更多信息,请参见 kadm5.acl(4) 手册页。
kdc4 # pfedit /etc/krb5/kadm5.acl kws/admin@EXAMPLE.COM * kiprop/kdc1.example.com@EXAMPLE.COM p
注释掉 sunw_dbprop_slave_poll 项,并添加定义 sunw_dbprop_master_ulogsize 的项。该项将日志大小设置为 1000 个项。
kdc1 # pfedit /etc/krb5/kdc.conf [kdcdefaults] kdc_ports = 88,750 [realms] EXAMPLE.COM= { profile = /etc/krb5/krb5.conf database_name = /var/krb5/principal acl_file = /etc/krb5/kadm5.acl kadmind_port = 749 max_life = 8h 0m 0s max_renewable_life = 7d 0h 0m 0s sunw_dbprop_enable = true # sunw_dbprop_slave_poll = 2m sunw_dbprop_master_ulogsize = 1000 }
kdc4 # svcadm enable -r network/security/krb5kdc kdc4 # svcadm enable -r network/security/kadmin
通过将 kiprop 主体添加到 krb5.keytab 文件,允许 kpropd 守护进程对自身进行增量传播服务验证。
kdc1 # /usr/sbin/kadmin -p kws/admin Authenticating as principal kws/admin@EXAMPLE.COM with password. Enter password: xxxxxxxx kadmin: ktadd kiprop/kdc1.example.com Entry for principal kiprop/kdc1.example.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal kiprop/kdc1.example.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal kiprop/kdc1.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab. kadmin: quit
kdc1 # pfedit /etc/krb5/kpropd.acl host/kdc1.example.com@EXAMPLE.COM host/kdc2.example.com@EXAMPLE.COM host/kdc3.example.com@EXAMPLE.COM host/kdc4.example.com@EXAMPLE.COM
kdc1 # svcadm enable -r network/security/krb5_prop kdc1 # svcadm enable -r network/security/krb5kdc