krb5: Import MIT 1.21.3 - src - FreeBSD source tree

diff options


context:
space:
mode:

author	Cy Schubert <cy@FreeBSD.org>	2025-03-19 22:12:25 +0000
committer	Cy Schubert <cy@FreeBSD.org>	2025-03-19 22:12:25 +0000
commit	8f7d3ef26dec89a92ec0665de84a5936310a5574 (patch)
tree	9a465418bd4056bf0d369751320a414eaed29fa4 /doc/html/admin/install_kdc.html
parent	1a79b20663ca26acc2998b90ea2ff2aefd8af5b1 (diff)

Diffstat (limited to 'doc/html/admin/install_kdc.html')

-rw-r--r--

doc/html/admin/install_kdc.html

270

1 files changed, 132 insertions, 138 deletions

diff --git a/doc/html/admin/install_kdc.html b/doc/html/admin/install_kdc.html
index c8e5f9a08100..6f2519132958 100644
--- a/doc/html/admin/install_kdc.html
+++ b/doc/html/admin/install_kdc.html

@@ -1,35 +1,26 @@

-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<!DOCTYPE html>

-<html xmlns="http://www.w3.org/1999/xhtml">

+<html>

<head>

- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

+ <meta charset="utf-8" />

+ <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />

<title>Installing KDCs — MIT Kerberos Documentation</title>

- <link rel="stylesheet" href="../_static/agogo.css" type="text/css" />

- <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />

- <link rel="stylesheet" href="../_static/kerb.css" type="text/css" />

- <script type="text/javascript">

- var DOCUMENTATION_OPTIONS = {

- URL_ROOT: '../',

- VERSION: '1.21.2',

- COLLAPSE_INDEX: false,

- FILE_SUFFIX: '.html',

- HAS_SOURCE: true,

- SOURCELINK_SUFFIX: '.txt'

- };

- </script>

- <script type="text/javascript" src="../_static/jquery.js"></script>

- <script type="text/javascript" src="../_static/underscore.js"></script>

- <script type="text/javascript" src="../_static/doctools.js"></script>

+ <link rel="stylesheet" type="text/css" href="../_static/pygments.css" />

+ <link rel="stylesheet" type="text/css" href="../_static/agogo.css" />

+ <link rel="stylesheet" type="text/css" href="../_static/kerb.css" />

+ <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script>

+ <script src="../_static/jquery.js"></script>

+ <script src="../_static/underscore.js"></script>

+ <script src="../_static/doctools.js"></script>

- </head>

- <body>

+ </head><body>

@@ -61,7 +52,7 @@

- <div class="section" id="installing-kdcs">

+ <section id="installing-kdcs">

<h1>Installing KDCs<a class="headerlink" href="#installing-kdcs" title="Permalink to this headline">¶</a></h1>

When setting up Kerberos in a production environment, it is best to

have multiple replica KDCs alongside with a primary KDC to ensure the

@@ -78,40 +69,40 @@ KDC with one of the replicas if necessary (see

<a class="reference internal" href="#switch-primary-replica">Switching primary and replica KDCs</a>). This installation procedure is based

on that recommendation.

-Warning

-<ul class="last simple">

-<li>The Kerberos system relies on the availability of correct time

+Warning

+<ul class="simple">

+<li>The Kerberos system relies on the availability of correct time

information. Ensure that the primary and all replica KDCs have

-properly synchronized clocks.</li>

-<li>It is best to install and run KDCs on secured and dedicated

+properly synchronized clocks.</li>

+<li>It is best to install and run KDCs on secured and dedicated

hardware with limited access. If your KDC is also a file

server, FTP server, Web server, or even just a client machine,

someone who obtained root access through a security hole in any

of those areas could potentially gain access to the Kerberos

-database.</li>

+database.</li>

</ul>

</div>

-<div class="section" id="install-and-configure-the-primary-kdc">

+<section id="install-and-configure-the-primary-kdc">

<h2>Install and configure the primary KDC<a class="headerlink" href="#install-and-configure-the-primary-kdc" title="Permalink to this headline">¶</a></h2>

Install Kerberos either from the OS-provided packages or from the

source (See <a class="reference internal" href="../build/doing_build.html#do-build">Building within a single tree</a>).

-Note

+Note

For the purpose of this document we will use the following

names:

-<div class="highlight-default"><div class="highlight"><pre>kerberos.mit.edu - primary KDC

+<div class="highlight-default notranslate"><div class="highlight"><pre>kerberos.mit.edu - primary KDC

kerberos-1.mit.edu - replica KDC

ATHENA.MIT.EDU - realm name

.k5.ATHENA.MIT.EDU - stash file

admin/admin - admin principal

</pre></div>

</div>

-See <a class="reference internal" href="../mitK5defaults.html#mitk5defaults">MIT Kerberos defaults</a> for the default names and locations

+See <a class="reference internal" href="../mitK5defaults.html#mitk5defaults">MIT Kerberos defaults</a> for the default names and locations

of the relevant to this topic files. Adjust the names and

paths to your system environment.

</div>

-</div>

-<div class="section" id="edit-kdc-configuration-files">

+</section>

+<section id="edit-kdc-configuration-files">

<h2>Edit KDC configuration files<a class="headerlink" href="#edit-kdc-configuration-files" title="Permalink to this headline">¶</a></h2>

Modify the configuration files, <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5">krb5.conf</a> and

<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5">kdc.conf</a>, to reflect the correct information (such as

@@ -126,11 +117,11 @@ section will explain those.

default ones, set KRB5_CONFIG and KRB5_KDC_PROFILE environment

variables to point to the krb5.conf and kdc.conf respectively. For

example:

-<div class="highlight-default"><div class="highlight"><pre>export KRB5_CONFIG=/yourdir/krb5.conf

+<div class="highlight-default notranslate"><div class="highlight"><pre>export KRB5_CONFIG=/yourdir/krb5.conf

export KRB5_KDC_PROFILE=/yourdir/kdc.conf

</pre></div>

</div>

-<div class="section" id="krb5-conf">

+<section id="krb5-conf">

If you are not using DNS TXT records (see <a class="reference internal" href="realm_config.html#mapping-hostnames">Mapping hostnames onto Kerberos realms</a>),

you must specify the default_realm in the <a class="reference internal" href="conf_files/krb5_conf.html#libdefaults">[libdefaults]</a>

@@ -141,7 +132,7 @@ communicate with the kadmin server in each realm, the admin_server</stro

tag must be set in the

<a class="reference internal" href="conf_files/krb5_conf.html#realms">[realms]</a> section.

An example krb5.conf file:

-<div class="highlight-default"><div class="highlight"><pre>[libdefaults]

+<div class="highlight-default notranslate"><div class="highlight"><pre>[libdefaults]

default_realm = ATHENA.MIT.EDU

[realms]

@@ -152,14 +143,14 @@ tag must be set in the

}

</pre></div>

</div>

-</div>

-<div class="section" id="kdc-conf">

+</section>

+<section id="kdc-conf">

The kdc.conf file can be used to control the listening ports of the

KDC and kadmind, as well as realm-specific defaults, the database type

and location, and logging.

An example kdc.conf file:

-<div class="highlight-default"><div class="highlight"><pre>[kdcdefaults]

+<div class="highlight-default notranslate"><div class="highlight"><pre>[kdcdefaults]

kdc_listen = 88

kdc_tcp_listen = 88

@@ -185,23 +176,23 @@ and location, and logging.

default = FILE:/var/log/krb5lib.log

</pre></div>

</div>

-Replace <code class="docutils literal">ATHENA.MIT.EDU</code> and <code class="docutils literal">kerberos.mit.edu</code> with the name of

+Replace <code class="docutils literal notranslate">ATHENA.MIT.EDU</code> and <code class="docutils literal notranslate">kerberos.mit.edu</code> with the name of

your Kerberos realm and server respectively.

-Note

-You have to have write permission on the target directories

+Note

+You have to have write permission on the target directories

(these directories must exist) used by database_name,

key_stash_file, and acl_file.

</div>

-</div>

-<div class="section" id="create-the-kdc-database">

+</section>

+<section id="create-the-kdc-database">

<h2>Create the KDC database<a class="headerlink" href="#create-the-kdc-database" title="Permalink to this headline">¶</a></h2>

You will use the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8">kdb5_util</a> command on the primary KDC to

create the Kerberos database and the optional <a class="reference internal" href="../basic/stash_file_def.html#stash-definition">stash file</a>.

-Note

-If you choose not to install a stash file, the KDC will

+Note

+If you choose not to install a stash file, the KDC will

prompt you for the master key each time it starts up. This

means that the KDC will not be able to start automatically,

such as after a system reboot.

@@ -220,8 +211,8 @@ substituting the numeral “4” for the word “for”, and includes the

punctuation mark at the end.)

The following is an example of how to create a Kerberos database and

stash file on the primary KDC, using the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8">kdb5_util</a> command.

-Replace <code class="docutils literal">ATHENA.MIT.EDU</code> with the name of your Kerberos realm:

-<div class="highlight-default"><div class="highlight"><pre>shell% kdb5_util create -r ATHENA.MIT.EDU -s

+Replace <code class="docutils literal notranslate">ATHENA.MIT.EDU</code> with the name of your Kerberos realm:

+<div class="highlight-default notranslate"><div class="highlight"><pre>shell% kdb5_util create -r ATHENA.MIT.EDU -s

Initializing database '/usr/local/var/krb5kdc/principal' for realm 'ATHENA.MIT.EDU',

master key name 'K/M@ATHENA.MIT.EDU'

@@ -232,30 +223,30 @@ Replace <code class="docutils literal">ATHENA.MIT.EDU</

shell%

</pre></div>

</div>

-This will create five files in <a class="reference internal" href="../mitK5defaults.html#paths">LOCALSTATEDIR</a><code class="docutils literal">/krb5kdc</code> (or at the locations specified

+This will create five files in <a class="reference internal" href="../mitK5defaults.html#paths">LOCALSTATEDIR</a><code class="docutils literal notranslate">/krb5kdc</code> (or at the locations specified

in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5">kdc.conf</a>):

-<li>two Kerberos database files, <code class="docutils literal">principal</code>, and <code class="docutils literal">principal.ok</code></li>

-<li>the Kerberos administrative database file, <code class="docutils literal">principal.kadm5</code></li>

-<li>the administrative database lock file, <code class="docutils literal">principal.kadm5.lock</code></li>

-<li>the stash file, in this example <code class="docutils literal">.k5.ATHENA.MIT.EDU</code>. If you do

+<li>two Kerberos database files, <code class="docutils literal notranslate">principal</code>, and <code class="docutils literal notranslate">principal.ok</code></li>

+<li>the Kerberos administrative database file, <code class="docutils literal notranslate">principal.kadm5</code></li>

+<li>the administrative database lock file, <code class="docutils literal notranslate">principal.kadm5.lock</code></li>

+<li>the stash file, in this example <code class="docutils literal notranslate">.k5.ATHENA.MIT.EDU</code>. If you do

not want a stash file, run the above command without the -s

-option.</li>

+option.</li>

</ul>

For more information on administrating Kerberos database see

<a class="reference internal" href="database.html#db-operations">Operations on the Kerberos database</a>.

-</div>

-<div class="section" id="add-administrators-to-the-acl-file">

+</section>

+<section id="add-administrators-to-the-acl-file">

<h2>Add administrators to the ACL file<a class="headerlink" href="#add-administrators-to-the-acl-file" title="Permalink to this headline">¶</a></h2>

Next, you need create an Access Control List (ACL) file and put the

Kerberos principal of at least one of the administrators into it.

This file is used by the <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8">kadmind</a> daemon to control which

principals may view and make privileged modifications to the Kerberos

database files. The ACL filename is determined by the acl_file

-variable in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5">kdc.conf</a>; the default is <a class="reference internal" href="../mitK5defaults.html#paths">LOCALSTATEDIR</a><code class="docutils literal">/krb5kdc</code><code class="docutils literal">/kadm5.acl</code>.

+variable in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5">kdc.conf</a>; the default is <a class="reference internal" href="../mitK5defaults.html#paths">LOCALSTATEDIR</a><code class="docutils literal notranslate">/krb5kdc</code><code class="docutils literal notranslate">/kadm5.acl</code>.

For more information on Kerberos ACL file see <a class="reference internal" href="conf_files/kadm5_acl.html#kadm5-acl-5">kadm5.acl</a>.

-</div>

-<div class="section" id="add-administrators-to-the-kerberos-database">

+</section>

+<section id="add-administrators-to-the-kerberos-database">

<h2>Add administrators to the Kerberos database<a class="headerlink" href="#add-administrators-to-the-kerberos-database" title="Permalink to this headline">¶</a></h2>

Next you need to add administrative principals (i.e., principals who

are allowed to administer Kerberos database) to the Kerberos database.

@@ -268,9 +259,9 @@ authentication to an admin server; instead, it must have read and

write access to the Kerberos database on the local filesystem.

The administrative principals you create should be the ones you added

to the ACL file (see <a class="reference internal" href="#admin-acl">Add administrators to the ACL file</a>).

-In the following example, the administrative principal <code class="docutils literal">admin/admin</code>

+In the following example, the administrative principal <code class="docutils literal notranslate">admin/admin</code>

is created:

-<div class="highlight-default"><div class="highlight"><pre>shell% kadmin.local

+<div class="highlight-default notranslate"><div class="highlight"><pre>shell% kadmin.local

kadmin.local: addprinc admin/admin@ATHENA.MIT.EDU

@@ -282,28 +273,28 @@ is created:

kadmin.local:

</pre></div>

</div>

-</div>

-<div class="section" id="start-the-kerberos-daemons-on-the-primary-kdc">

+</section>

+<section id="start-the-kerberos-daemons-on-the-primary-kdc">

<h2>Start the Kerberos daemons on the primary KDC<a class="headerlink" href="#start-the-kerberos-daemons-on-the-primary-kdc" title="Permalink to this headline">¶</a></h2>

At this point, you are ready to start the Kerberos KDC

(<a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8">krb5kdc</a>) and administrative daemons on the primary KDC. To

do so, type:

-<div class="highlight-default"><div class="highlight"><pre>shell% krb5kdc

+<div class="highlight-default notranslate"><div class="highlight"><pre>shell% krb5kdc

shell% kadmind

</pre></div>

</div>

Each server daemon will fork and run in the background.

-Note

-Assuming you want these daemons to start up automatically at

-boot time, you can add them to the KDC’s <code class="docutils literal">/etc/rc</code> or

-<code class="docutils literal">/etc/inittab</code> file. You need to have a

+Note

+Assuming you want these daemons to start up automatically at

+boot time, you can add them to the KDC’s <code class="docutils literal notranslate">/etc/rc</code> or

+<code class="docutils literal notranslate">/etc/inittab</code> file. You need to have a

<a class="reference internal" href="../basic/stash_file_def.html#stash-definition">stash file</a> in order to do this.

</div>

You can verify that they started properly by checking for their

startup messages in the logging locations you defined in

<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5">krb5.conf</a> (see <a class="reference internal" href="conf_files/kdc_conf.html#logging">[logging]</a>). For example:

-<div class="highlight-default"><div class="highlight"><pre>shell% tail /var/log/krb5kdc.log

+<div class="highlight-default notranslate"><div class="highlight"><pre>shell% tail /var/log/krb5kdc.log

Dec 02 12:35:47 beeblebrox krb5kdc[3187](info): commencing operation

shell% tail /var/log/kadmin.log

Dec 02 12:35:52 beeblebrox kadmind[3189](info): starting

@@ -314,32 +305,32 @@ the logging output.

As an additional verification, check if <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1">kinit</a> succeeds

against the principals that you have created on the previous step

(<a class="reference internal" href="#addadmin-kdb">Add administrators to the Kerberos database</a>). Run:

-<div class="highlight-default"><div class="highlight"><pre>shell% kinit admin/admin@ATHENA.MIT.EDU

+<div class="highlight-default notranslate"><div class="highlight"><pre>shell% kinit admin/admin@ATHENA.MIT.EDU

</pre></div>

</div>

-</div>

-<div class="section" id="install-the-replica-kdcs">

+</section>

+<section id="install-the-replica-kdcs">

<h2>Install the replica KDCs<a class="headerlink" href="#install-the-replica-kdcs" title="Permalink to this headline">¶</a></h2>

You are now ready to start configuring the replica KDCs.

-Note

-Assuming you are setting the KDCs up so that you can easily

+Note

+Assuming you are setting the KDCs up so that you can easily

switch the primary KDC with one of the replicas, you should

perform each of these steps on the primary KDC as well as

the replica KDCs, unless these instructions specify

otherwise.

</div>

-<div class="section" id="create-host-keytabs-for-replica-kdcs">

+<section id="create-host-keytabs-for-replica-kdcs">

<h3>Create host keytabs for replica KDCs<a class="headerlink" href="#create-host-keytabs-for-replica-kdcs" title="Permalink to this headline">¶</a></h3>

-Each KDC needs a <code class="docutils literal">host</code> key in the Kerberos database. These keys

+Each KDC needs a <code class="docutils literal notranslate">host</code> key in the Kerberos database. These keys

are used for mutual authentication when propagating the database dump

file from the primary KDC to the secondary KDC servers.

On the primary KDC, connect to administrative interface and create the

-host principal for each of the KDCs’ <code class="docutils literal">host</code> services. For example,

-if the primary KDC were called <code class="docutils literal">kerberos.mit.edu</code>, and you had a

-replica KDC named <code class="docutils literal">kerberos-1.mit.edu</code>, you would type the

+host principal for each of the KDCs’ <code class="docutils literal notranslate">host</code> services. For example,

+if the primary KDC were called <code class="docutils literal notranslate">kerberos.mit.edu</code>, and you had a

+replica KDC named <code class="docutils literal notranslate">kerberos-1.mit.edu</code>, you would type the

following:

-<div class="highlight-default"><div class="highlight"><pre>shell% kadmin

+<div class="highlight-default notranslate"><div class="highlight"><pre>shell% kadmin

kadmin: addprinc -randkey host/kerberos.mit.edu

No policy specified for "host/kerberos.mit.edu@ATHENA.MIT.EDU"; assigning "default"

Principal "host/kerberos.mit.edu@ATHENA.MIT.EDU" created.

@@ -352,13 +343,13 @@ following:

It is not strictly necessary to have the primary KDC server in the

Kerberos database, but it can be handy if you want to be able to swap

the primary KDC with one of the replicas.

-Next, extract <code class="docutils literal">host</code> random keys for all participating KDCs and

+Next, extract <code class="docutils literal notranslate">host</code> random keys for all participating KDCs and

store them in each host’s default keytab file. Ideally, you should

extract each keytab locally on its own KDC. If this is not feasible,

you should use an encrypted session to send them across the network.

To extract a keytab directly on a replica KDC called

-<code class="docutils literal">kerberos-1.mit.edu</code>, you would execute the following command:

+<code class="docutils literal notranslate">kerberos-1.mit.edu</code>, you would execute the following command:

Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption

type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.

@@ -370,29 +361,29 @@ To extract a keytab directly on a replica KDC called

</pre></div>

</div>

If you are instead extracting a keytab for the replica KDC called

-<code class="docutils literal">kerberos-1.mit.edu</code> on the primary KDC, you should use a dedicated

+<code class="docutils literal notranslate">kerberos-1.mit.edu</code> on the primary KDC, you should use a dedicated

temporary keytab file for that machine’s keytab:

-<div class="highlight-default"><div class="highlight"><pre>kadmin: ktadd -k /tmp/kerberos-1.keytab host/kerberos-1.mit.edu

+<div class="highlight-default notranslate"><div class="highlight"><pre>kadmin: ktadd -k /tmp/kerberos-1.keytab host/kerberos-1.mit.edu

type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.

</pre></div>

</div>

-The file <code class="docutils literal">/tmp/kerberos-1.keytab</code> can then be installed as

-<code class="docutils literal">/etc/krb5.keytab</code> on the host <code class="docutils literal">kerberos-1.mit.edu</code>.

-</div>

-<div class="section" id="configure-replica-kdcs">

+The file <code class="docutils literal notranslate">/tmp/kerberos-1.keytab</code> can then be installed as

+<code class="docutils literal notranslate">/etc/krb5.keytab</code> on the host <code class="docutils literal notranslate">kerberos-1.mit.edu</code>.

+</section>

+<section id="configure-replica-kdcs">

<h3>Configure replica KDCs<a class="headerlink" href="#configure-replica-kdcs" title="Permalink to this headline">¶</a></h3>

Database propagation copies the contents of the primary’s database,

but does not propagate configuration files, stash files, or the kadm5

ACL file. The following files must be copied by hand to each replica

(see <a class="reference internal" href="../mitK5defaults.html#mitk5defaults">MIT Kerberos defaults</a> for the default locations for these files):

-<li>krb5.conf</li>

-<li>kdc.conf</li>

-<li>kadm5.acl</li>

-<li>master key stash file</li>

+<li>krb5.conf</li>

+<li>kdc.conf</li>

+<li>kadm5.acl</li>

+<li>master key stash file</li>

</ul>

Move the copied files into their appropriate directories, exactly as

on the primary KDC. kadm5.acl is only needed to allow a replica to

@@ -401,30 +392,30 @@ swap with the primary KDC.

via the <a class="reference internal" href="admin_commands/kpropd.html#kpropd-8">kpropd</a> daemon. You must explicitly specify the

principals which are allowed to provide Kerberos dump updates on the

replica machine with a new database. Create a file named kpropd.acl

-in the KDC state directory containing the <code class="docutils literal">host</code> principals for each

+in the KDC state directory containing the <code class="docutils literal notranslate">host</code> principals for each

of the KDCs:

-<div class="highlight-default"><div class="highlight"><pre>host/kerberos.mit.edu@ATHENA.MIT.EDU

+<div class="highlight-default notranslate"><div class="highlight"><pre>host/kerberos.mit.edu@ATHENA.MIT.EDU

host/kerberos-1.mit.edu@ATHENA.MIT.EDU

</pre></div>

</div>

-Note

-If you expect that the primary and replica KDCs will be

+Note

+If you expect that the primary and replica KDCs will be

switched at some point of time, list the host principals

from all participating KDC servers in kpropd.acl files on

all of the KDCs. Otherwise, you only need to list the

primary KDC’s host principal in the kpropd.acl files of the

replica KDCs.

</div>

-Then, add the following line to <code class="docutils literal">/etc/inetd.conf</code> on each KDC

+Then, add the following line to <code class="docutils literal notranslate">/etc/inetd.conf</code> on each KDC

(adjust the path to kpropd):

-<div class="highlight-default"><div class="highlight"><pre>krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd

+<div class="highlight-default notranslate"><div class="highlight"><pre>krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd

</pre></div>

</div>

-You also need to add the following line to <code class="docutils literal">/etc/services</code> on each

+You also need to add the following line to <code class="docutils literal notranslate">/etc/services</code> on each

KDC, if it is not already present (assuming that the default port is

used):

-<div class="highlight-default"><div class="highlight"><pre>krb5_prop 754/tcp # Kerberos replica propagation

+<div class="highlight-default notranslate"><div class="highlight"><pre>krb5_prop 754/tcp # Kerberos replica propagation

</pre></div>

</div>

Restart inetd daemon.

@@ -434,17 +425,17 @@ required when incremental propagation is enabled.

you’ll need to propagate the database from the primary server.

NOTE: Do not start the replica KDC yet; you still do not have a copy

of the primary’s database.

-</div>

-<div class="section" id="propagate-the-database-to-each-replica-kdc">

+</section>

+<section id="propagate-the-database-to-each-replica-kdc">

<h3>Propagate the database to each replica KDC<a class="headerlink" href="#propagate-the-database-to-each-replica-kdc" title="Permalink to this headline">¶</a></h3>

First, create a dump file of the database on the primary KDC, as

follows:

-<div class="highlight-default"><div class="highlight"><pre>shell% kdb5_util dump /usr/local/var/krb5kdc/replica_datatrans

+<div class="highlight-default notranslate"><div class="highlight"><pre>shell% kdb5_util dump /usr/local/var/krb5kdc/replica_datatrans

</pre></div>

</div>

Then, manually propagate the database to each replica KDC, as in the

following example:

-<div class="highlight-default"><div class="highlight"><pre>shell% kprop -f /usr/local/var/krb5kdc/replica_datatrans kerberos-1.mit.edu

+<div class="highlight-default notranslate"><div class="highlight"><pre>shell% kprop -f /usr/local/var/krb5kdc/replica_datatrans kerberos-1.mit.edu

Database propagation to kerberos-1.mit.edu: SUCCEEDED

</pre></div>

@@ -452,11 +443,11 @@ following example:

You will need a script to dump and propagate the database. The

following is an example of a Bourne shell script that will do this.

-Note

-Remember that you need to replace <code class="docutils literal">/usr/local/var/krb5kdc</code>

+Note

+Remember that you need to replace <code class="docutils literal notranslate">/usr/local/var/krb5kdc</code>

with the name of the KDC state directory.

</div>

-<div class="highlight-default"><div class="highlight"><pre>#!/bin/sh

+<div class="highlight-default notranslate"><div class="highlight"><pre>#!/bin/sh

kdclist = "kerberos-1.mit.edu kerberos-2.mit.edu"

@@ -472,26 +463,26 @@ done

you decided on earlier (see <a class="reference internal" href="realm_config.html#db-prop">Database propagation</a>).

Now that the replica KDC has a copy of the Kerberos database, you can

start the krb5kdc daemon:

-<div class="highlight-default"><div class="highlight"><pre>shell% krb5kdc

+<div class="highlight-default notranslate"><div class="highlight"><pre>shell% krb5kdc

</pre></div>

</div>

As with the primary KDC, you will probably want to add this command to

-the KDCs’ <code class="docutils literal">/etc/rc</code> or <code class="docutils literal">/etc/inittab</code> files, so they will start

+the KDCs’ <code class="docutils literal notranslate">/etc/rc</code> or <code class="docutils literal notranslate">/etc/inittab</code> files, so they will start

the krb5kdc daemon automatically at boot time.

-<div class="section" id="propagation-failed">

+<section id="propagation-failed">

<h4>Propagation failed?<a class="headerlink" href="#propagation-failed" title="Permalink to this headline">¶</a></h4>

You may encounter the following error messages. For a more detailed

discussion on possible causes and solutions click on the error link

to be redirected to <a class="reference internal" href="troubleshoot.html#troubleshoot">Troubleshooting</a> section.

-<li><a class="reference internal" href="troubleshoot.html#kprop-no-route">kprop: No route to host while connecting to server</a></li>

-<li><a class="reference internal" href="troubleshoot.html#kprop-con-refused">kprop: Connection refused while connecting to server</a></li>

-<li><a class="reference internal" href="troubleshoot.html#kprop-sendauth-exchange">kprop: Server rejected authentication (during sendauth exchange) while authenticating to server</a></li>

+<li><a class="reference internal" href="troubleshoot.html#kprop-no-route">kprop: No route to host while connecting to server</a></li>

+<li><a class="reference internal" href="troubleshoot.html#kprop-con-refused">kprop: Connection refused while connecting to server</a></li>

+<li><a class="reference internal" href="troubleshoot.html#kprop-sendauth-exchange">kprop: Server rejected authentication (during sendauth exchange) while authenticating to server</a></li>

</ol>

-</div>

-<div class="section" id="add-kerberos-principals-to-the-database">

+</section>

+<section id="add-kerberos-principals-to-the-database">

<h2>Add Kerberos principals to the database<a class="headerlink" href="#add-kerberos-principals-to-the-database" title="Permalink to this headline">¶</a></h2>

Once your KDCs are set up and running, you are ready to use

<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1">kadmin</a> to load principals for your users, hosts, and other

@@ -501,8 +492,8 @@ fully in <a class="reference internal" href="database.html#principals"><span cla

primary. This might happen if you are upgrading the primary KDC, or

if your primary KDC has a disk crash. See the following section for

the instructions.

-</div>

-<div class="section" id="switching-primary-and-replica-kdcs">

+</section>

+<section id="switching-primary-and-replica-kdcs">

<h2>Switching primary and replica KDCs<a class="headerlink" href="#switching-primary-and-replica-kdcs" title="Permalink to this headline">¶</a></h2>

You may occasionally want to use one of your replica KDCs as the

primary. This might happen if you are upgrading the primary KDC, or

@@ -513,36 +504,38 @@ recommends), all you need to do to make the changeover is:

If the primary KDC is still running, do the following on the old

primary KDC:

-<li>Kill the kadmind process.</li>

-<li>Disable the cron job that propagates the database.</li>

-<li>Run your database propagation script manually, to ensure that the

+<li>Kill the kadmind process.</li>

+<li>Disable the cron job that propagates the database.</li>

+<li>Run your database propagation script manually, to ensure that the

replicas all have the latest copy of the database (see

-<a class="reference internal" href="#kprop-to-replicas">Propagate the database to each replica KDC</a>).</li>

+<a class="reference internal" href="#kprop-to-replicas">Propagate the database to each replica KDC</a>).</li>

</ol>

On the new primary KDC:

-<li>Start the <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8">kadmind</a> daemon (see <a class="reference internal" href="#start-kdc-daemons">Start the Kerberos daemons on the primary KDC</a>).</li>

-<li>Set up the cron job to propagate the database (see

-<a class="reference internal" href="#kprop-to-replicas">Propagate the database to each replica KDC</a>).</li>

-<li>Switch the CNAMEs of the old and new primary KDCs. If you can’t do

+<li>Start the <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8">kadmind</a> daemon (see <a class="reference internal" href="#start-kdc-daemons">Start the Kerberos daemons on the primary KDC</a>).</li>

+<li>Set up the cron job to propagate the database (see

+<a class="reference internal" href="#kprop-to-replicas">Propagate the database to each replica KDC</a>).</li>

+<li>Switch the CNAMEs of the old and new primary KDCs. If you can’t do

this, you’ll need to change the <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5">krb5.conf</a> file on every

-client machine in your Kerberos realm.</li>

+client machine in your Kerberos realm.</li>

</ol>

-</div>

-<div class="section" id="incremental-database-propagation">

+</section>

+<section id="incremental-database-propagation">

<h2>Incremental database propagation<a class="headerlink" href="#incremental-database-propagation" title="Permalink to this headline">¶</a></h2>

If you expect your Kerberos database to become large, you may wish to

set up incremental propagation to replica KDCs. See

<a class="reference internal" href="database.html#incr-db-prop">Incremental database propagation</a> for details.

-</div>

+</section>

+ <div class="clearer"></div>

</div>

<ul>

<li><a class="reference internal" href="#">Installing KDCs</a><ul>

@@ -628,6 +621,7 @@ set up incremental propagation to replica KDCs. See

</form>

</div>

</div>

@@ -635,8 +629,8 @@ set up incremental propagation to replica KDCs. See

- <div class="right" >Release: 1.21.2

+ <div class="right" >Release: 1.21.3

</div>