Wednesday, December 22, 2010

Debian Kerberos Slave

Slave KDCs provide an additional source of Kerberos ticket-granting services in the event of inaccessibility of the master KDC. It recommended that your KDCs have a predefined set of CNAME records (DNS hostname aliases), such as krb for the master KDC and kdc1, kdc2, ... for the slave KDCs. This way, if you need to swap a machine, you only need to change a DNS entry, rather than having to change hostnames.

Master (Primary) Kerberos Server

  1. Add a new slave ( to file /etc/krb5.conf (for the master and any other slaves):
            DEV.LOCAL = {
                    kdc =
                    kdc =
                    admin_server =
    Alternatively (preferred way) consider setup DNS discovery. Read here how.
  2. Add slave host principal:
    kadmin.local -q "addprinc -randkey host/"
    kadmin.local -q "ktadd host/"
  3. Create database propagation host list (file /etc/krb5kdc/kpropd.acl):
  4. Create a dump of the kerberos database (that is a default path for kprop utility):
    kdb5_util dump /var/lib/krb5kdc/slave_datatrans

Secondary (Slave, Read-Only) Kerberos Server

  1. Install Kerberos Server and xinetd (to be used for database propagation):
    apt-get install krb5-kdc xinetd
  2. Copy (a) realm configuration (file /etc/krb5.conf), (b) database propagation list (file /etc/krb5kdc/kpropd.acl), (c) keytab (file /etc/krb5.keytab), (d) logrotate settings from master, e.g. using ssh copy:
    scp kdc1:/etc/krb5.conf /etc
    scp kdc1:/etc/krb5kdc/kpropd.acl /etc/krb5kdc
    scp kdc1:/etc/krb5.keytab /etc
    scp kdc1:/etc/logrotate.d/krb5 /etc/logrotate.d
    mkdir /var/log/krb5
  3. Setup database propagation service (file /etc/xinetd.d/krb_prop):
    service krb_prop
            disable         = no
            socket_type     = stream
            protocol        = tcp
            user            = root
            wait            = no
            server          = /usr/sbin/kpropd
    Restart xinetd service:
    /etc/init.d/xinetd restart

Propagate database

  1. Propagate database from Master to Slave
    kdc1:~# kprop
    Database propagation to SUCCEEDED
  2. Create database stash key on slave
    kdb5_util stash
  3. Start Kerberos Slave service:
    /etc/init.d/krb5-kdc start

Automate database propagation

  1. Here is a script that populates master database to all slaves (run on master, file /usr/local/sbin/krb5-prop):
    /usr/sbin/kdb5_util dump /var/lib/krb5kdc/slave_datatrans
    if [ $error -ne 0 ]; then
      echo "Kerberos database dump failed."
      exit 1
    for slave in $slaves; do
      /usr/sbin/kprop $slave > /dev/null
      if [ $error -ne 0 ]; then
        echo "Kerberos propagation to host $slave failed."
    exit 0
    Ensure the file is executable:
    chmod +x /usr/local/sbin/krb5-prop
  2. Schedule a cron job (/usr/local/sbin/cron-krb5-prop):
    # Regular cron job for Kerberos database propagation
    # Every 53 minutes
    53 * * * * root test -x /usr/local/sbin/krb5-prop && krb5-prop >> $LOG
    .. and let cron know about it:
    ln -s /usr/local/sbin/cron-krb5-prop /etc/cron.d/cron-krb5-prop
Finally here is how to test it is working:
  1. Stop Master Kerberos server:
    /etc/init.d/krb5-kdc stop
  2. Open log file on Slave:
    tail -f /var/log/krb5/kdc.log
  3. Login to kerberos client:
    ssh user1@deby01
  4. Watch the log on Slave, you should see authentication messages.
Read more about kerberos here.

No comments :

Post a Comment